forked from Guimove/terraform-aws-bastion
-
Notifications
You must be signed in to change notification settings - Fork 1
/
variables.tf
193 lines (155 loc) · 4.65 KB
/
variables.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
variable "bucket_name" {
description = "Bucket name were the bastion will store the logs"
}
variable "bucket_versioning" {
default = true
description = "Enable bucket versioning or not"
}
variable "bucket_force_destroy" {
default = false
description = "The bucket and all objects should be destroyed when using true"
}
variable "tags" {
description = "A mapping of tags to assign"
default = {}
type = map(string)
}
variable "region" {
}
variable "cidrs" {
description = "List of CIDRs than can access to the bastion. Default : 0.0.0.0/0"
type = list(string)
default = [
"0.0.0.0/0",
]
}
variable "is_lb_private" {
description = "If TRUE the load balancer scheme will be \"internal\" else \"internet-facing\""
}
variable "vpc_id" {
description = "VPC id were we'll deploy the bastion"
}
variable "bastion_host_key_pair" {
description = "Select the key pair to use to launch the bastion host"
}
variable "hosted_zone_id" {
description = "Name of the hosted zone were we'll register the bastion DNS name"
default = ""
}
variable "bastion_record_name" {
description = "DNS record name to use for the bastion"
default = ""
}
variable "bastion_launch_template_name" {
description = "Bastion Launch template Name, will also be used for the ASG"
default = "bastion-lt"
}
variable "bastion_security_group_id" {
description = "Custom security group to use"
default = ""
}
variable "bastion_additional_security_groups" {
description = "List of additional security groups to attach to the launch template"
type = list(string)
default = []
}
variable "bastion_ami" {
type = string
description = "The AMI that the Bastion Host will use."
default = ""
}
variable "elb_subnets" {
type = list(string)
description = "List of subnet were the ELB will be deployed"
}
variable "auto_scaling_group_subnets" {
type = list(string)
description = "List of subnet were the Auto Scalling Group will deploy the instances"
}
variable "associate_public_ip_address" {
default = true
}
variable "bastion_instance_count" {
default = 1
}
variable "create_dns_record" {
description = "Choose if you want to create a record name for the bastion (LB). If true 'hosted_zone_id' and 'bastion_record_name' are mandatory "
}
variable "log_auto_clean" {
description = "Enable or not the lifecycle"
default = false
}
variable "log_standard_ia_days" {
description = "Number of days before moving logs to IA Storage"
default = 30
}
variable "log_glacier_days" {
description = "Number of days before moving logs to Glacier"
default = 60
}
variable "log_expiry_days" {
description = "Number of days before logs expiration"
default = 90
}
variable "public_ssh_port" {
description = "Set the SSH port to use from desktop to the bastion"
default = 22
}
variable "private_ssh_port" {
description = "Set the SSH port to use between the bastion and private instance"
default = 22
}
variable "extra_user_data_content" {
description = "Additional scripting to pass to the bastion host. For example, this can include installing postgresql for the `psql` command."
type = string
default = ""
}
variable "allow_ssh_commands" {
description = "Allows the SSH user to execute one-off commands. Pass true to enable. Warning: These commands are not logged and increase the vulnerability of the system. Use at your own discretion."
type = bool
default = false
}
variable "bastion_iam_role_name" {
description = "IAM role name to create"
type = string
default = null
}
variable "bastion_iam_policy_name" {
description = "IAM policy name to create for granting the instance role access to the bucket"
default = "BastionHost"
}
variable "bastion_iam_permissions_boundary" {
description = "IAM Role Permissions Boundary to constrain the bastion host role"
default = ""
}
variable "instance_type" {
description = "Instance size of the bastion"
default = "t3.nano"
}
variable "disk_encrypt" {
description = "Instance EBS encrypt"
type = bool
default = true
}
variable "disk_size" {
description = "Root EBS size in GB"
type = number
default = 8
}
variable "enable_logs_s3_sync" {
description = "Enable cron job to copy logs to S3"
type = bool
default = true
}
variable "kms_enable_key_rotation" {
description = "Enable key rotation for the KMS key"
type = bool
default = false
}
variable "ipv6_cidrs" {
description = "List of IPv6 CIDRs than can access to the bastion. Default : ::/0"
type = list(string)
default = [
"::/0",
]
}