-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathvariables.tf
203 lines (173 loc) · 5.81 KB
/
variables.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
variable "aws_account_id" {
description = "The AWS account ID where the OIDC provider lives, leave empty to use the account for the AWS provider"
type = string
default = ""
}
variable "tags" {
description = "A map of tags to add to IAM role resources"
type = map(string)
default = {}
}
variable "role_name" {
description = "IAM role name"
type = string
default = null
}
variable "rvm_assume_role_name" {
type = string
description = "The name of the trusted RVM role in the target accounts"
default = "github-assume-role-rvm"
}
variable "repository_name" {
description = "Github Repository name"
type = string
default = null
}
variable "role_description" {
description = "Role description"
type = string
default = null
}
variable "role_permissions_boundary_arn" {
description = "Permissions boundary ARN to use for IAM role"
type = string
default = ""
}
variable "max_session_duration" {
description = "Maximum CLI/API session duration in seconds between 3600 and 43200"
type = number
default = 3600
validation {
condition = var.max_session_duration >= 3600 && var.max_session_duration <= 43200
error_message = "The max_session_duration must be between 3600 and 43200 seconds (1 hour and 12 hours)."
}
}
variable "managed_policies" {
description = "List of ARNs of IAM policies to attach to main IAM role"
type = list(string)
default = []
}
variable "force_detach_policies" {
description = "Whether policies should be detached from this role when destroying"
type = bool
default = false
}
variable "inline_policy" {
description = "IAM Inline Policy (String)"
type = string
default = ""
}
variable "inline_policy_readonly" {
description = "IAM Inline Policy to attach to the readonly role"
type = string
default = ""
}
variable "principal_type" {
description = "Type of principal assuming the role (github, service, pod, breakglass)"
type = string
default = "github"
validation {
condition = contains(["github", "service", "pod", "breakglass"], var.principal_type)
error_message = "The principal_type must be one of: github, service, pod, or breakglass."
}
}
# Variables for github principal type
variable "github_environment" {
description = "Github Environment for this role"
type = string
default = ""
}
variable "github_branch" {
description = "Github branch authorized for this role"
type = string
default = "main"
}
variable "github_organization_name" {
description = "Name of the GitHub Organization - Required if 'principal_type' is 'github'"
type = string
default = null
# Note: cross-variable validation conditions are only supported in Terraform v1.9+. Comment out this validation block if you are on an older version of TF.
validation {
condition = var.github_organization_name == null || (var.github_organization_name != null && (var.principal_type == "github" || var.principal_type == "breakglass"))
error_message = "The github_organization_name variable is required when the principal_type is 'github' or 'breakglass'."
}
}
# Variables for pod principal type
variable "eks_cluster_arns" {
description = "List of cluster ARNs for pod principal type"
type = list(string)
default = []
}
variable "eks_cluster_name" {
description = "List of cluster names for pod principal type"
type = list(string)
default = []
}
variable "eks_namespaces" {
description = "List of Kubernetes namespaces for pod principal type"
type = list(string)
default = []
}
variable "eks_service_account" {
description = "List of Kubernetes service accounts for pod principal type"
type = list(string)
default = []
}
variable "pod_trust_policy_controls" {
description = "specifies conditions for pod identity trust policy"
type = object({
include_source_account = bool
include_cluster_arns = bool
include_cluster_names = bool
include_cluster_namspaces = bool
include_cluster_service_account = bool
})
default = {
include_cluster_arns = false
include_cluster_names = false
include_cluster_namspaces = false
include_cluster_service_account = false
include_source_account = false
}
}
# Variables for service principal type
variable "service_name" {
description = "List of services allowed to assume the role"
type = list(string)
default = []
validation {
condition = length(var.service_name) == 0 || can(regex("^[A-Za-z0-9.-]+\\.amazonaws\\.com$", var.service_name))
error_message = "The service_name variable must be in the format of *.amazonaws.com and can only contain letters, numbers, hyphens, and dots."
}
}
variable "service_trust_policy_controls" {
description = "specifies conditions for service role trust policy"
type = object({
include_account_condition = bool
include_org_condition = bool
})
default = {
include_account_condition = false
include_org_condition = false
}
}
# Variables for break glass principal type
variable "breakglass_user_alias" {
description = "Name of the break glass user"
type = string
default = null
}
variable "breakglass_user_email" {
description = "Email of the break glass user"
type = string
default = null
validation {
condition = var.breakglass_user_email == null || can(regex("^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$", var.breakglass_user_email))
error_message = "The breakglass_user_email must be a valid email address or left empty."
}
}
variable "rvm_account_id" {
description = "Account ID of the RVM account"
type = string
default = ""
}