This repository has been archived by the owner on Sep 27, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1
/
variables.tf
381 lines (326 loc) · 11.2 KB
/
variables.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
variable "environment" {
default = "dev"
type = string
}
variable "cluster_version" {
default = "1.28"
type = string
}
variable "cluster_service_cidr" {
default = "172.20.0.0/16"
type = string
}
variable "ami_date" {
default = ""
type = string
}
## Default node group
variable "general_node_pool" {
type = any
description = "General node pool, required for hosting core services"
default = {
instance_type = "c5.2xlarge"
desired_size = 3
max_size = 5
min_size = 2
# Map of label flags for kubelets.
labels = { general = "true" }
taints = {}
}
}
variable "custom_node_pools" {
type = any
default = {}
# runners = {
# instance_type = "c4.xlarge"
# desired_size = 1
# max_size = 1
# min_size = 1
# labels = { gitlab-runners-go-here = "true" }
# taints = { better-watch-out-for-gitlab-runners = "true:NoSchedule" }
# subnet_ids = [ "list","of","subnet","ids" ]
# }
}
variable "cluster_name" {
type = string
}
variable "iam_role_path" {
default = "/delegatedadmin/developer/"
type = string
}
variable "iam_role_permissions_boundary" {
default = "arn:aws:iam::373346310182:policy/cms-cloud-admin/developer-boundary-policy"
type = string
}
variable "vpc_id" {
type = string
}
variable "private_subnets" {
type = list(any)
}
variable "host_subnets" {
type = list(any)
default = []
description = "Override the ec2 instance subnets. By default, they are launche in private_subnets, just like the EKS control plane."
}
variable "alb_subnets_by_zone" {
type = map(string)
}
variable "cluster_enabled_log_types" {
description = "A list of the desired control plane logging to enable. For more information, see Amazon EKS Control Plane Logging documentation (https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html)"
type = list(string)
default = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
}
### Resource tags
variable "tags" {
default = null
description = "Global resource tags to apply to all resources"
type = map(any)
}
variable "instance_tags" {
default = null
description = "Instance custom tags"
type = map(any)
}
variable "cluster_additional_sg_prefix_lists" {
type = list(string)
}
variable "cluster_security_group_additional_rules" {
type = map(any)
description = "Map of security group rules to attach to the cluster security group, as you cannot change cluster security groups without replacing the instance"
default = {}
}
variable "grant_delete_ebs_volumes_lambda_access" {
type = bool
default = false
description = "When set to true, a cluster role and permissions will be created to grant the delete-ebs-volumes Lambda access to the PersistentVolumes API."
}
variable "node_https_ingress_cidr_blocks" {
description = "List of CIDR blocks to allow into the node over the HTTPs port"
default = ["10.0.0.0/8", "100.0.0.0/8"]
type = list(string)
}
variable "alb_restricted_hosts" {
type = set(string)
description = "A list of allowable host for private alb"
default = []
}
variable "alb_proxy_restricted_hosts" {
type = set(string)
description = "A list of allowable host for proxy alb"
default = []
}
variable "alb_shared_restricted_hosts" {
type = set(string)
description = "A list of allowable host for shared alb. Defaults to deny to ensure this load balancer is configured correctly."
default = ["deny-by-default.example.com"]
}
variable "create_alb_proxy" {
type = bool
description = "Create an Application Load Balancer proxy to live in front of the K8s ALB and act as a proxy from the public Internet"
default = false
}
variable "alb_proxy_is_internal" {
type = bool
description = "If the ALB Proxy should be using internal ips. Defaults to false, because the reason for ALB proxy existing is typically to make it accessible over the Internet"
default = false
}
variable "alb_proxy_subnets" {
description = "List of subnet ids for the ALB Proxy to be deployed into"
default = []
type = list(string)
}
variable "create_alb_shared" {
type = bool
description = "Creaes an ALB in the shared subnet"
default = false
}
variable "alb_shared_is_internal" {
type = bool
description = "If the ALB in the shared subnet should be using internal ips. Defaults to false, because the reason for this ALB existing is to make it accessible over the Internet"
default = false
}
variable "alb_shared_subnets" {
description = "List of subnet ids for the ALB in the shared subnet"
default = []
type = list(string)
}
variable "acm_cert_base_domain" {
description = "Base domain of the certificate used for the ALB Proxy"
default = ""
type = string
}
variable "alb_proxy_ingress_cidrs" {
description = "List of CIDR blocks allowed to access the ALB Proxy; used to restrict public access to a certain set of IPs"
default = []
type = list(string)
}
variable "alb_proxy_ingress_prefix_lists" {
description = "List of Prefix List IDs allowed to access the ALB Proxy; used to restrict public access to a certain set of IPs"
default = []
type = list(string)
}
variable "alb_shared_ingress_cidrs" {
description = "List of CIDR blocks allowed to access the ALB Proxy; used to restrict public access to a certain set of IPs"
default = []
type = list(string)
}
variable "alb_shared_ingress_prefix_lists" {
description = "List of Prefix List IDs allowed to access the ALB Proxy; used to restrict public access to a certain set of IPs"
default = []
type = list(string)
}
variable "alb_deletion_protection" {
description = "Enable/Disable ALB deletion protection for both ALBs"
default = false
type = bool
}
variable "alb_drop_invalid_header_fields" {
description = "Indicates whether HTTP headers with header fields that are not valid are removed by the load balancer (true) or routed to targets (false). The default is false. Elastic Load Balancing requires that message header names contain only alphanumeric characters and hyphens. Only valid for Load Balancers of type application"
default = true
type = bool
}
variable "alb_idle_timeout" {
description = "Default idle request timeout for the ALB"
default = "60"
type = string
}
variable "alb_public_tags" {
description = "Additional public ALB tags"
default = null
type = map(any)
}
variable "alb_private_tags" {
description = "Additional private ALB tags"
default = null
type = map(any)
}
variable "alb_ssl_security_policy" {
description = "ALB SSL Security Policy"
default = "ELBSecurityPolicy-TLS13-1-2-Res-2021-06"
type = string
}
variable "logging_bucket" {
description = "Name of the S3 bucket to send load balancer access logs."
default = null
type = string
}
### Cosign OpenID Connect Audiences
variable "openid_connect_audiences" {
description = "OpenID Connect Audiences"
default = []
type = list(string)
}
variable "create_cosign_iam_role" {
description = "Flag to create Cosign IAM role"
default = false
type = bool
}
variable "autoscaling_group_tags" {
description = "Tags to apply to all autoscaling groups created"
default = {}
type = map(any)
}
variable "ami_regex_override" {
description = "Overrides default AMI lookup regex, which grabs latest AMI matching cluster_version by default"
default = ""
type = string
}
variable "node_schedule_shutdown_hour" {
type = number
default = -1
description = "The hour of the day (0-23) the cluster should be shutdown. If left empty, the cluster will not be stopped. Will run every day otherwise."
}
variable "node_schedule_startup_hour" {
type = number
default = -1
description = "The hour of the day (0-23) the cluster should be restarted. If left empty, the cluster will not be restarted after shutdown. Will run every weekday otherwise."
}
variable "node_schedule_shutdown_cron" {
type = string
default = ""
description = "The cron expression for the shutdown schedule. If left empty, the cluster will not be stopped. Overrides node_schedule_shutdown_hour"
}
variable "node_schedule_startup_cron" {
type = string
default = ""
description = "The cron expression for the startup schedule. If left empty, the cluster will not be restarted after shutdown. Overrides node_schedule_startup_hour"
}
variable "node_schedule_timezone" {
type = string
default = "America/New_York"
description = "The timezone of the schedule. Ex: 'America/New_York', 'America/Chicago', 'America/Denver', 'America/Los_Angeles', 'Pacific/Honolulu' See: https://www.joda.org/joda-time/timezones.html"
}
variable "enable_hoplimit" {
type = bool
default = false
description = "Enables a IMDSv2 hop limit of 1 on all nodes. Defaults to false"
}
variable "vpc_cidr_blocks" {
description = "List of VPC CIDR blocks"
type = list(string)
}
variable "enable_self_managed_nodes" {
type = bool
default = true
description = "Enables self managed nodes"
}
variable "enable_eks_managed_nodes" {
type = bool
default = false
description = "Enables eks managed nodes"
}
variable "force_update_version" {
type = bool
default = true
description = "Force update version"
}
variable "custom_node_policy_arns" {
type = set(string)
default = []
description = "Custom node policy arns"
}
variable "enable_ssm_patching" {
type = bool
default = false
description = "Enables Systems Manager to patch nodes"
}
variable "ssm_iam_patching_policy" {
type = string
default = "cms-cloud-ssm-iam-policy-v3"
description = "SSM IAM policy for patching"
}
variable "ssm_tag_patch_group" {
type = string
default = "AL2"
description = "SSM Patching group for instances. For more information: https://cloud.cms.gov/patching-prerequisites"
}
variable "ssm_tag_patch_window" {
type = string
default = "ITOPS-Wave1-Non-Mktplc-DevTestImpl-MW"
description = "SSM Patching window for instances. For more information: https://cloud.cms.gov/patching-prerequisites"
}
variable "enable_cluster_creator_admin_permissions" {
type = bool
default = true
description = "Grants the user who created the cluster admin permissions"
}
# ################################################################################
# # Access Entry
# ################################################################################
## variable below holds the list of principal arns that require cluster access
variable "admin_principal_arns" {
description = "List of principal_arns that require admin access to the cluster"
default = []
type = list(string)
}
variable "admin_readonly_principal_arns" {
description = "List of principal_arns that require admin readonly access to the cluster"
default = []
type = list(string)
}
variable "delete_ebs_volume_role_arn" {
description = "principal_arn for delete ebs volume role"
default = ""
type = string
}