-
-
Notifications
You must be signed in to change notification settings - Fork 10
/
variables.tf
209 lines (190 loc) 路 10.1 KB
/
variables.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
variable "cloudwatch" {
description = <<EOF
(Optional) The configuration of CloudWatch in the current AWS region. `cloudwatch` as defined below.
(Optional) `oam_sink` - A configuration of CloudWatch OAM(Observability Access Manager) sink. `oam_sink` as defined below.
(Required) `name` - The name of the CloudWatch OAM sink.
(Optional) `telemetry_types` - A set of the telemetry types can be shared with it. Valid values are `AWS::CloudWatch::Metric`, `AWS::Logs::LogGroup`, `AWS::XRay::Trace`, `AWS::ApplicationInsights::Application`, `AWS::InternetMonitor::Monitor`.
(Optional) `allowed_source_accounts` - A list of the IDs of AWS accounts that will share data with this monitoring account.
(Optional) `allowed_source_organizations` - A list of the organization IDs of AWS accounts that will share data with this monitoring account.
(Optional) `allowed_source_organization_paths` - A list of the organization paths of the AWS accounts that will share data with this monitoring account.
(Optional) `tags` - A map of tags to add to the resource.
EOF
type = object({
oam_sink = optional(object({
name = string
telemetry_types = optional(set(string), [])
allowed_source_accounts = optional(list(string), [])
allowed_source_organizations = optional(list(string), [])
allowed_source_organization_paths = optional(list(string), [])
tags = optional(map(string), {})
}))
})
default = {}
nullable = false
}
variable "ebs_default_encryption" {
description = <<EOF
(Optional) The configuration of the EBS default encryption. `ebs_default_encryption` as defined below.
(Optional) `enabled` - Whether or not default EBS encryption is enabled.
(Optional) `kms_key` - The ARN of the AWS Key Management Service (AWS KMS) customer master key (CMK) to use to encrypt the EBS volume.
EOF
type = object({
enabled = optional(bool, false)
kms_key = optional(string)
})
default = {}
nullable = false
}
variable "ec2" {
description = <<EOF
(Optional) The configuration of EC2 in the current AWS region. `ec2` as defined below.
(Optional) `ami_public_access_enabled` - Whether to allow or block public access for AMIs at the account level to prevent the public sharing of your AMIs in this region. Defaults to `false`.
(Optional) `instance_metadata_defaults` - The configuration of the regional instance metadata default settings. `instance_metadata_defaults` as defined below.
(Optional) `http_enabled` - Whether to enable or disable the HTTP metadata endpoint on your instances. Defaults to `null` (No preference).
(Optional) `http_token_required` - Whether or not the metadata service requires session tokens, also referred to as Instance Metadata Service Version 2 (IMDSv2). Defaults to `false`. Defaults to `null` (No preference).
(Optional) `http_put_response_hop_limit` - A desired HTTP PUT response hop limit for instance metadata requests. The larger the number, the further instance metadata requests can travel. Valid values are integer from `1` to `64`. Defaults to `null` (No preference).
(Optional) `instance_tags_enabled` - Whether to enable the access to instance tags from the instance metadata service. Defaults to `null` (No preference).
(Optional) `serial_console_enabled` - Whether serial console access is enabled for the current AWS region. Defaults to `false`.
EOF
type = object({
ami_public_access_enabled = optional(bool, false)
instance_metadata_defaults = optional(object({
http_enabled = optional(bool)
http_token_required = optional(bool)
http_put_response_hop_limit = optional(number)
instance_tags_enabled = optional(bool)
}), {})
serial_console_enabled = optional(bool, false)
})
default = {}
nullable = false
}
variable "guardduty" {
description = <<EOF
(Optional) The configuration of GuardDuty in the current AWS region. `guardduty` as defined below.
(Optional) `delegated_administrator` - The AWS account ID for the account to designate as the delegated Amazon GuardDuty administrator account for the organization. The delegated administrator will be assigned the two GuardDuty roles required to administer GuardDuty policy in your organization. Can be used in only management account of the organization.
EOF
type = object({
delegated_administrator = optional(string)
})
default = {}
nullable = false
}
variable "inspector" {
description = <<EOF
(Optional) The configuration of Inspector in the current AWS region. `inspector` as defined below.
(Optional) `delegated_administrator` - The AWS account ID for the account to designate as the delegated Amazon Inspector administrator account for the organization. The delegated administrator is granted all of the permissions required to administer Inspector for your organization. When you choose a delegated administrator, Inspector is activated for that account. Can be used in only management account of the organization.
EOF
type = object({
delegated_administrator = optional(string)
})
default = {}
nullable = false
}
variable "macie" {
description = <<EOF
(Optional) The configuration of Macie in the current AWS region. `macie` as defined below.
(Optional) `delegated_administrator` - The AWS account ID for the account to designate as the delegated Amazon Macie administrator account for the organization. This can be configured only if Macie is enabled for the organization. The account must be a management account of the organization.
EOF
type = object({
delegated_administrator = optional(string)
})
default = {}
nullable = false
}
variable "resource_explorer" {
description = <<EOF
(Optional) The configuration of the Resource Explorer in the current AWS region. `resource_explorer` as defined below.
(Optional) `enabled` - Whether or not to enable the Resource Explorer in the current AWS region. Defaults to `true`.
(Optional) `index_type` - The type of the index. Valid values are `AGGREGATOR`, `LOCAL`. Defaults to `LOCAL`.
(Optional) `views` - A list of views to create. `views` as defined below.
(Required) `name` - The name of the view. The name must be no more than 64 characters long, and can include letters, digits, and the dash (-) character. The name must be unique within its AWS Region.
(Optional) `is_default` - Whether the view is the default view for the AWS Region. Defaults to `false`.
(Optional) `filter_queries` - A list of filter queries. Specify which resources are included in the results of queries made using this view. The filter string is combined using a logical AND operator. Defaults to `[]` (include all resources).
(Optional) `additional_resource_attributes` - A list of additional resource attributes. By default, the results include ARN, owner account, Region, service, and resource type. Valid values are `tags`. Defaults to `[]`.
EOF
type = object({
enabled = optional(bool, true)
index_type = optional(string, "LOCAL")
views = optional(list(object({
name = string
is_default = optional(bool, false)
filter_queries = optional(list(string), [])
additional_resource_attributes = optional(set(string), [])
})), [])
})
default = {}
nullable = false
validation {
condition = contains(["AGGREGATOR", "LOCAL"], var.resource_explorer.index_type)
error_message = "Valid values for `resource_explorer` are `AGGREGATOR`, `LOCAL`."
}
validation {
condition = alltrue([
for view in var.resource_explorer.views :
alltrue([
for attribute in view.additional_resource_attributes :
contains(["tags"], attribute)
])
])
error_message = "Valid values for each values of `additional_resource_attributes` are `tags`."
}
}
variable "service_quotas_request" {
description = "(Optional) A map of service quotas to request. The key is `<service-code>/<quota-code>` and the value is a desired value to request."
type = map(number)
default = {}
nullable = false
validation {
condition = alltrue([
for code, quota in var.service_quotas_request :
length(split("/", code)) == 2
])
error_message = "Require valid service quota codes. The format is `<service-code>/<quota-code>`."
}
}
variable "service_quotas_code_translation_enabled" {
description = "(Optional) Whether to use translated quota code for readability."
type = bool
default = false
nullable = false
}
variable "vpc_availability_zone_groups" {
description = "(Optional) The configurations to manage Availability Zone Groups for the current AWS region. The key is the name of Availability Zone Group, the value is a boolean value to enable the group. In this time, disabling Availability Zone Group is not supported on AWS."
type = map(bool)
default = {}
nullable = false
}
variable "tags" {
description = "(Optional) A map of tags to add to all resources."
type = map(string)
default = {}
nullable = false
}
variable "module_tags_enabled" {
description = "(Optional) Whether to create AWS Resource Tags for the module informations."
type = bool
default = true
nullable = false
}
###################################################
# Resource Group
###################################################
variable "resource_group_enabled" {
description = "(Optional) Whether to create Resource Group to find and group AWS resources which are created by this module."
type = bool
default = true
nullable = false
}
variable "resource_group_name" {
description = "(Optional) The name of Resource Groupolicy. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`."
type = string
default = ""
nullable = false
}
variable "resource_group_description" {
description = "(Optional) The description of Resource Groupolicy."
type = string
default = "Managed by Terraform."
nullable = false
}