forked from rouge8/terraform-aws-atlantis
-
Notifications
You must be signed in to change notification settings - Fork 0
/
variables.tf
774 lines (652 loc) · 23.9 KB
/
variables.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
variable "name" {
description = "Name to use on all resources created (VPC, ALB, etc)"
type = string
default = "atlantis"
}
variable "internal" {
description = "Whether the load balancer is internal or external"
type = bool
default = false
}
variable "tags" {
description = "A map of tags to use on all resources"
type = map(string)
default = {}
}
variable "alb_https_security_group_tags" {
description = "Additional tags to put on the https security group"
type = map(string)
default = {}
}
variable "alb_http_security_group_tags" {
description = "Additional tags to put on the http security group"
type = map(string)
default = {}
}
variable "atlantis_security_group_tags" {
description = "Additional tags to put on the atlantis security group"
type = map(string)
default = {}
}
variable "atlantis_fqdn" {
description = "FQDN of Atlantis to use. Set this only to override Route53 and ALB's DNS name."
type = string
default = null
}
# VPC
variable "vpc_id" {
description = "ID of an existing VPC where resources will be created"
type = string
default = ""
}
variable "public_subnet_ids" {
description = "A list of IDs of existing public subnets inside the VPC"
type = list(string)
default = []
}
variable "private_subnet_ids" {
description = "A list of IDs of existing private subnets inside the VPC"
type = list(string)
default = []
}
variable "cidr" {
description = "The CIDR block for the VPC which will be created if `vpc_id` is not specified"
type = string
default = ""
}
variable "azs" {
description = "A list of availability zones in the region"
type = list(string)
default = []
}
variable "manage_default_security_group" {
description = "Should be true to adopt and manage default security group"
type = bool
default = false
}
variable "default_security_group_ingress" {
description = "List of maps of ingress rules to set on the default security group"
type = list(map(string))
default = []
}
variable "default_security_group_egress" {
description = "List of maps of egress rules to set on the default security group"
type = list(map(string))
default = []
}
variable "public_subnets" {
description = "A list of public subnets inside the VPC"
type = list(string)
default = []
}
variable "private_subnets" {
description = "A list of private subnets inside the VPC"
type = list(string)
default = []
}
# ALB
variable "alb_ingress_cidr_blocks" {
description = "List of IPv4 CIDR ranges to use on all ingress rules of the ALB."
type = list(string)
default = ["0.0.0.0/0"]
}
variable "alb_ingress_ipv6_cidr_blocks" {
description = "List of IPv6 CIDR ranges to use on all ingress rules of the ALB."
type = list(string)
default = ["::/0"]
}
variable "alb_log_bucket_name" {
description = "S3 bucket (externally created) for storing load balancer access logs. Required if alb_logging_enabled is true."
type = string
default = ""
}
variable "alb_log_location_prefix" {
description = "S3 prefix within the log_bucket_name under which logs are stored."
type = string
default = ""
}
variable "alb_logging_enabled" {
description = "Controls if the ALB will log requests to S3."
type = bool
default = false
}
variable "alb_authenticate_oidc" {
description = "Map of Authenticate OIDC parameters to protect ALB (eg, using Auth0). See https://www.terraform.io/docs/providers/aws/r/lb_listener.html#authenticate-oidc-action"
type = any
default = {}
}
variable "alb_authenticate_cognito" {
description = "Map of AWS Cognito authentication parameters to protect ALB (eg, using SAML). See https://www.terraform.io/docs/providers/aws/r/lb_listener.html#authenticate-cognito-action"
type = any
default = {}
}
variable "alb_enable_deletion_protection" {
description = "If true, deletion of the load balancer will be disabled via the AWS API. This will prevent Terraform from deleting the load balancer. Defaults to false."
type = bool
default = null
}
variable "alb_drop_invalid_header_fields" {
description = "Indicates whether invalid header fields are dropped in application load balancers. Defaults to false."
type = bool
default = null
}
variable "allow_unauthenticated_access" {
description = "Whether to create ALB listener rule to allow unauthenticated access for certain CIDR blocks (eg. allow GitHub webhooks to bypass OIDC authentication)"
type = bool
default = false
}
variable "allow_unauthenticated_access_priority" {
description = "ALB listener rule priority for allow unauthenticated access rule"
type = number
default = 10
}
variable "allow_unauthenticated_webhook_access_priority" {
description = "ALB listener rule priority for allow unauthenticated webhook access rule"
type = number
default = 15
}
variable "allow_github_webhooks" {
description = "Whether to allow access for GitHub webhooks"
type = bool
default = false
}
variable "github_webhooks_cidr_blocks" {
description = "List of IPv4 CIDR blocks used by GitHub webhooks" # This is hardcoded to avoid dependency on github provider. Source: https://api.github.com/meta
type = list(string)
default = ["140.82.112.0/20", "185.199.108.0/22", "192.30.252.0/22", "143.55.64.0/20"]
}
variable "github_webhooks_ipv6_cidr_blocks" {
description = "List of IPv6 CIDR blocks used by GitHub webhooks" # This is hardcoded to avoid dependency on github provider. Source: https://api.github.com/meta
type = list(string)
default = ["2a0a:a440::/29", "2606:50c0::/32"]
}
variable "whitelist_unauthenticated_cidr_blocks" {
description = "List of allowed CIDR blocks to bypass authentication"
type = list(string)
default = []
}
variable "alb_listener_ssl_policy_default" {
description = "The security policy if using HTTPS externally on the load balancer. [See](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html)."
type = string
default = "ELBSecurityPolicy-2016-08"
}
variable "extra_load_balancers" {
description = "A list of maps for additional ECS task load balancers"
type = list(map(string))
default = []
}
# ACM
variable "certificate_arn" {
description = "ARN of certificate issued by AWS ACM. If empty, a new ACM certificate will be created and validated using Route53 DNS"
type = string
default = ""
}
variable "acm_certificate_domain_name" {
description = "Route53 domain name to use for ACM certificate. Route53 zone for this domain should be created in advance. Specify if it is different from value in `route53_zone_name`"
type = string
default = ""
}
# Route53
variable "route53_zone_name" {
description = "Route53 zone name to create ACM certificate in and main A-record, without trailing dot"
type = string
default = ""
}
variable "route53_record_name" {
description = "Name of Route53 record to create ACM certificate in and main A-record. If null is specified, var.name is used instead. Provide empty string to point root domain name to ALB."
type = string
default = null
}
variable "route53_private_zone" {
description = "Enable to use a private Route53 zone"
type = bool
default = false
}
variable "create_route53_record" {
description = "Whether to create Route53 A record for Atlantis"
type = bool
default = true
}
# Cloudwatch
variable "cloudwatch_log_retention_in_days" {
description = "Retention period of Atlantis CloudWatch logs"
type = number
default = 7
}
variable "cloudwatch_logs_kms_key_id" {
description = "The ARN of the KMS Key to use when encrypting log data."
type = string
default = null
}
# SSM parameters for secrets
variable "webhook_ssm_parameter_name" {
description = "Name of SSM parameter to keep webhook secret"
type = string
default = "/atlantis/webhook/secret"
}
variable "atlantis_github_user_token_ssm_parameter_name" {
description = "Name of SSM parameter to keep atlantis_github_user_token"
type = string
default = "/atlantis/github/user/token"
}
variable "atlantis_gitlab_user_token_ssm_parameter_name" {
description = "Name of SSM parameter to keep atlantis_gitlab_user_token"
type = string
default = "/atlantis/gitlab/user/token"
}
variable "atlantis_bitbucket_user_token_ssm_parameter_name" {
description = "Name of SSM parameter to keep atlantis_bitbucket_user_token"
type = string
default = "/atlantis/bitbucket/user/token"
}
variable "atlantis_github_app_key_ssm_parameter_name" {
description = "Name of SSM parameter to keep atlantis_github_app_key"
type = string
default = "/atlantis/github/app/key"
}
variable "ssm_kms_key_arn" {
description = "ARN of KMS key to use for encryption and decryption of SSM Parameters. Required only if your key uses a custom KMS key and not the default key"
type = string
default = ""
}
# ECS Service / Task
variable "ecs_service_assign_public_ip" {
description = "Should be true, if ECS service is using public subnets (more info: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_cannot_pull_image.html)"
type = bool
default = false
}
variable "permissions_boundary" {
description = "If provided, all IAM roles will be created with this permissions boundary attached."
type = string
default = null
}
variable "path" {
description = "If provided, all IAM roles will be created with this path."
type = string
default = "/"
}
variable "policies_arn" {
description = "A list of the ARN of the policies you want to apply"
type = list(string)
default = null
}
variable "trusted_principals" {
description = "A list of principals, in addition to ecs-tasks.amazonaws.com, that can assume the task role"
type = list(string)
default = []
}
variable "trusted_entities" {
description = "A list of users or roles, that can assume the task role"
type = list(string)
default = []
}
variable "create_ecs_cluster" {
description = "Whether to create an ECS cluster or not"
type = bool
default = true
}
variable "ecs_cluster_id" {
description = "ID of an existing ECS cluster where resources will be created"
type = string
default = ""
}
variable "ecs_fargate_spot" {
description = "Whether to run ECS Fargate Spot or not"
type = bool
default = false
}
variable "ecs_container_insights" {
description = "Controls if ECS Cluster has container insights enabled"
type = bool
default = false
}
variable "ecs_service_desired_count" {
description = "The number of instances of the task definition to place and keep running"
type = number
default = 1
}
variable "ecs_service_platform_version" {
description = "The platform version on which to run your service"
type = string
default = "LATEST"
}
variable "ecs_service_deployment_maximum_percent" {
description = "The upper limit (as a percentage of the service's desiredCount) of the number of running tasks that can be running in a service during a deployment"
type = number
default = 100
}
variable "ecs_service_deployment_minimum_healthy_percent" {
description = "The lower limit (as a percentage of the service's desiredCount) of the number of running tasks that must remain running and healthy in a service during a deployment"
type = number
default = 0
}
variable "ecs_task_cpu" {
description = "The number of cpu units used by the task"
type = number
default = 256
}
variable "ecs_task_memory" {
description = "The amount (in MiB) of memory used by the task"
type = number
default = 512
}
variable "container_cpu" {
description = "The number of cpu units used by the atlantis container. If not specified ecs_task_cpu will be used"
type = number
default = null
}
variable "container_memory" {
description = "The amount (in MiB) of memory used by the atlantis container. If not specified ecs_task_memory will be used"
type = number
default = null
}
variable "container_memory_reservation" {
description = "The amount of memory (in MiB) to reserve for the container"
type = number
default = 128
}
variable "custom_container_definitions" {
description = "A list of valid container definitions provided as a single valid JSON document. By default, the standard container definition is used."
type = string
default = ""
}
variable "extra_container_definitions" {
description = "A list of valid container definitions provided as a single valid JSON document. These will be provided as supplimentary to the main Atlantis container definition"
type = any
default = []
}
variable "entrypoint" {
description = "The entry point that is passed to the container"
type = list(string)
default = null
}
variable "command" {
description = "The command that is passed to the container"
type = list(string)
default = null
}
variable "working_directory" {
description = "The working directory to run commands inside the container"
type = string
default = null
}
variable "repository_credentials" {
description = "Container repository credentials; required when using a private repo. This map currently supports a single key; \"credentialsParameter\", which should be the ARN of a Secrets Manager's secret holding the credentials"
type = map(string)
default = null
}
variable "docker_labels" {
description = "The configuration options to send to the `docker_labels`"
type = map(string)
default = null
}
variable "start_timeout" {
description = "Time duration (in seconds) to wait before giving up on resolving dependencies for a container"
type = number
default = 30
}
variable "stop_timeout" {
description = "Time duration (in seconds) to wait before the container is forcefully killed if it doesn't exit normally on its own"
type = number
default = 30
}
variable "container_depends_on" {
description = "The dependencies defined for container startup and shutdown. A container can contain multiple dependencies. When a dependency is defined for container startup, for container shutdown it is reversed. The condition can be one of START, COMPLETE, SUCCESS or HEALTHY"
type = list(object({
containerName = string
condition = string
}))
default = null
}
variable "essential" {
description = "Determines whether all other containers in a task are stopped, if this container fails or stops for any reason. Due to how Terraform type casts booleans in json it is required to double quote this value"
type = bool
default = true
}
variable "readonly_root_filesystem" {
description = "Determines whether a container is given read-only access to its root filesystem. Due to how Terraform type casts booleans in json it is required to double quote this value"
type = bool
default = false
}
variable "mount_points" {
description = "Container mount points. This is a list of maps, where each map should contain a `containerPath` and `sourceVolume`. The `readOnly` key is optional."
type = list(any)
default = []
}
variable "volumes_from" {
description = "A list of VolumesFrom maps which contain \"sourceContainer\" (name of the container that has the volumes to mount) and \"readOnly\" (whether the container can write to the volume)"
type = list(object({
sourceContainer = string
readOnly = bool
}))
default = []
}
variable "user" {
description = "The user to run as inside the container. Must be in the uid:gid or the default (null) will use the container's configured `USER` directive or root if not set."
type = string
default = null
validation {
condition = can(regex("[0-9]+:[0-9]+", var.user)) || var.user == null
error_message = "User variable must be in the uid:gid format or null."
}
}
variable "ulimits" {
description = "Container ulimit settings. This is a list of maps, where each map should contain \"name\", \"hardLimit\" and \"softLimit\""
type = list(object({
name = string
hardLimit = number
softLimit = number
}))
default = null
}
variable "external_task_definition_updates" {
description = "Enable to allow the task definition to be updated outside of this Terraform module. This should be enabled when using a deployment tool such as ecs-deploy which updates the task definition and will then keep the ECS service using the latest version of the task definition."
type = bool
default = false
}
# https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_FirelensConfiguration.html
variable "firelens_configuration" {
description = "The FireLens configuration for the container. This is used to specify and configure a log router for container logs. For more details, see https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_FirelensConfiguration.html"
type = object({
type = string
options = map(string)
})
default = null
}
# Atlantis
variable "atlantis_image" {
description = "Docker image to run Atlantis with. If not specified, official Atlantis image will be used"
type = string
default = ""
}
variable "atlantis_version" {
description = "Verion of Atlantis to run. If not specified latest will be used"
type = string
default = "latest"
}
variable "atlantis_port" {
description = "Local port Atlantis should be running on. Default value is most likely fine."
type = number
default = 4141
}
variable "atlantis_repo_allowlist" {
description = "List of allowed repositories Atlantis can be used with"
type = list(string)
}
variable "allow_repo_config" {
description = "When true allows the use of atlantis.yaml config files within the source repos."
type = string
default = "false"
}
variable "atlantis_log_level" {
description = "Log level that Atlantis will run with. Accepted values are: <debug|info|warn|error>"
type = string
default = "debug"
}
variable "atlantis_hide_prev_plan_comments" {
description = "Enables atlantis server --hide-prev-plan-comments hiding previous plan comments on update"
type = string
default = "false"
}
variable "atlantis_write_git_creds" {
description = "Write out a .git-credentials file with the provider user and token to allow cloning private modules over HTTPS or SSH"
type = string
default = "true"
}
# Github
variable "atlantis_github_user" {
description = "GitHub username that is running the Atlantis command"
type = string
default = ""
}
variable "atlantis_github_app_id" {
description = "GitHub App ID that is running the Atlantis command"
type = string
default = ""
}
variable "atlantis_github_app_key" {
description = "GitHub App private key that is running the Atlantis command"
type = string
default = ""
}
variable "atlantis_github_user_token" {
description = "GitHub token of the user that is running the Atlantis command"
type = string
default = ""
}
variable "atlantis_github_webhook_secret" {
description = "GitHub webhook secret of an app that is running the Atlantis command"
type = string
default = ""
}
# Gitlab
variable "atlantis_gitlab_user" {
description = "Gitlab username that is running the Atlantis command"
type = string
default = ""
}
variable "atlantis_gitlab_user_token" {
description = "Gitlab token of the user that is running the Atlantis command"
type = string
default = ""
}
variable "atlantis_gitlab_hostname" {
description = "Gitlab server hostname, defaults to gitlab.com"
type = string
default = "gitlab.com"
}
# Bitbucket
variable "atlantis_bitbucket_user" {
description = "Bitbucket username that is running the Atlantis command"
type = string
default = ""
}
variable "atlantis_bitbucket_user_token" {
description = "Bitbucket token of the user that is running the Atlantis command"
type = string
default = ""
}
variable "atlantis_bitbucket_base_url" {
description = "Base URL of Bitbucket Server, use for Bitbucket on prem (Stash)"
type = string
default = ""
}
variable "custom_environment_secrets" {
description = "List of additional secrets the container will use (list should contain maps with `name` and `valueFrom`)"
type = list(object(
{
name = string
valueFrom = string
}
))
default = []
}
variable "custom_environment_variables" {
description = "List of additional environment variables the container will use (list should contain maps with `name` and `value`)"
type = list(object(
{
name = string
value = string
}
))
default = []
}
variable "security_group_ids" {
description = "List of one or more security groups to be added to the load balancer"
type = list(string)
default = []
}
variable "propagate_tags" {
description = "Specifies whether to propagate the tags from the task definition or the service to the tasks. The valid values are SERVICE and TASK_DEFINITION"
type = string
default = null
}
variable "enable_ecs_managed_tags" {
description = "Specifies whether to enable Amazon ECS managed tags for the tasks within the service"
type = bool
default = false
}
variable "use_ecs_old_arn_format" {
description = "A flag to enable/disable tagging the ecs resources that require the new longer arn format"
type = bool
default = false
}
variable "ecs_service_force_new_deployment" {
description = "Enable to force a new task deployment of the service. This can be used to update tasks to use a newer Docker image with same image/tag combination (e.g. myimage:latest)"
type = bool
default = false
}
variable "ecs_service_enable_execute_command" {
description = "Enable ECS exec for the service. This can be used to allow interactive sessions and commands to be executed in the container"
type = bool
default = true
}
variable "enable_ephemeral_storage" {
description = "Enable to use Fargate Ephemeral Storage"
type = bool
default = false
}
variable "ephemeral_storage_size" {
description = "Size of Ephemeral Storage in GiB"
type = number
default = 21
validation {
condition = var.ephemeral_storage_size >= 21 && var.ephemeral_storage_size <= 200
error_message = "The minimum supported value is 21 GiB and the maximum supported value is 200 GiB."
}
}
variable "efs_file_system_encrypted" {
description = "If true, the disk will be encrypted."
type = bool
default = false
}
variable "efs_file_system_token" {
description = "Be able to import other EFS instance created by the other module"
type = string
default = ""
}
variable "alb_ip_address_type" {
description = "The type of IP addresses used by the subnets for your load balancer. The possible values are ipv4 and dualstack"
type = string
default = "ipv4"
}
variable "create_route53_aaaa_record" {
description = "Whether to create Route53 AAAA record for Atlantis"
type = bool
default = false
}
variable "runtime_platform" {
description = "Configuration block for runtime_platform that containers in your task may use."
type = any
default = null
}
variable "max_session_duration" {
description = "Maximum session duration (in seconds) for ecs task execution role. Default is 3600."
type = number
default = null
}
variable "alb_enable_cross_zone_load_balancing" {
description = "Whether cross-zone load balancing is enabled for the load balancer"
type = bool
default = null
}