diff --git a/modules/perforce/helix-authentication-service/README.md b/modules/perforce/helix-authentication-service/README.md index f1ed3d9..8427f88 100644 --- a/modules/perforce/helix-authentication-service/README.md +++ b/modules/perforce/helix-authentication-service/README.md @@ -6,8 +6,8 @@ | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | 5.72.1 | -| [awscc](#requirement\_awscc) | 1.20.0 | +| [aws](#requirement\_aws) | 5.78.0 | +| [awscc](#requirement\_awscc) | 1.22.0 | | [random](#requirement\_random) | 3.6.3 | ## Providers @@ -26,50 +26,51 @@ No modules. | Name | Type | |------|------| -| [aws_cloudwatch_log_group.helix_authentication_service_log_group](https://registry.terraform.io/providers/hashicorp/aws/5.72.1/docs/resources/cloudwatch_log_group) | resource | -| [aws_ecs_cluster.helix_authentication_service_cluster](https://registry.terraform.io/providers/hashicorp/aws/5.72.1/docs/resources/ecs_cluster) | resource | -| [aws_ecs_cluster_capacity_providers.helix_authentication_service_cluster_fargate_providers](https://registry.terraform.io/providers/hashicorp/aws/5.72.1/docs/resources/ecs_cluster_capacity_providers) | resource | -| [aws_ecs_service.helix_authentication_service](https://registry.terraform.io/providers/hashicorp/aws/5.72.1/docs/resources/ecs_service) | resource | -| [aws_ecs_task_definition.helix_authentication_service_task_definition](https://registry.terraform.io/providers/hashicorp/aws/5.72.1/docs/resources/ecs_task_definition) | resource | -| [aws_iam_policy.helix_authentication_service_default_policy](https://registry.terraform.io/providers/hashicorp/aws/5.72.1/docs/resources/iam_policy) | resource | -| [aws_iam_policy.helix_authentication_service_secrets_manager_policy](https://registry.terraform.io/providers/hashicorp/aws/5.72.1/docs/resources/iam_policy) | resource | -| [aws_iam_role.helix_authentication_service_default_role](https://registry.terraform.io/providers/hashicorp/aws/5.72.1/docs/resources/iam_role) | resource | -| [aws_iam_role.helix_authentication_service_task_execution_role](https://registry.terraform.io/providers/hashicorp/aws/5.72.1/docs/resources/iam_role) | resource | -| [aws_lb.helix_authentication_service_alb](https://registry.terraform.io/providers/hashicorp/aws/5.72.1/docs/resources/lb) | resource | -| [aws_lb_listener.helix_authentication_service_alb_https_listener](https://registry.terraform.io/providers/hashicorp/aws/5.72.1/docs/resources/lb_listener) | resource | -| [aws_lb_target_group.helix_authentication_service_alb_target_group](https://registry.terraform.io/providers/hashicorp/aws/5.72.1/docs/resources/lb_target_group) | resource | -| [aws_s3_bucket.helix_authentication_service_alb_access_logs_bucket](https://registry.terraform.io/providers/hashicorp/aws/5.72.1/docs/resources/s3_bucket) | resource | -| [aws_s3_bucket_lifecycle_configuration.access_logs_bucket_lifecycle_configuration](https://registry.terraform.io/providers/hashicorp/aws/5.72.1/docs/resources/s3_bucket_lifecycle_configuration) | resource | -| [aws_s3_bucket_policy.alb_access_logs_bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/5.72.1/docs/resources/s3_bucket_policy) | resource | -| [aws_s3_bucket_public_access_block.access_logs_bucket_public_block](https://registry.terraform.io/providers/hashicorp/aws/5.72.1/docs/resources/s3_bucket_public_access_block) | resource | -| [aws_security_group.helix_authentication_service_alb_sg](https://registry.terraform.io/providers/hashicorp/aws/5.72.1/docs/resources/security_group) | resource | -| [aws_security_group.helix_authentication_service_sg](https://registry.terraform.io/providers/hashicorp/aws/5.72.1/docs/resources/security_group) | resource | -| [aws_vpc_security_group_egress_rule.helix_authentication_service_alb_outbound_service](https://registry.terraform.io/providers/hashicorp/aws/5.72.1/docs/resources/vpc_security_group_egress_rule) | resource | -| [aws_vpc_security_group_egress_rule.helix_authentication_service_outbound_ipv4](https://registry.terraform.io/providers/hashicorp/aws/5.72.1/docs/resources/vpc_security_group_egress_rule) | resource | -| [aws_vpc_security_group_egress_rule.helix_authentication_service_outbound_ipv6](https://registry.terraform.io/providers/hashicorp/aws/5.72.1/docs/resources/vpc_security_group_egress_rule) | resource | -| [aws_vpc_security_group_ingress_rule.helix_authentication_service_inbound_alb](https://registry.terraform.io/providers/hashicorp/aws/5.72.1/docs/resources/vpc_security_group_ingress_rule) | resource | -| [awscc_secretsmanager_secret.helix_authentication_service_admin_password](https://registry.terraform.io/providers/hashicorp/awscc/1.20.0/docs/resources/secretsmanager_secret) | resource | -| [awscc_secretsmanager_secret.helix_authentication_service_admin_username](https://registry.terraform.io/providers/hashicorp/awscc/1.20.0/docs/resources/secretsmanager_secret) | resource | +| [aws_cloudwatch_log_group.helix_authentication_service_log_group](https://registry.terraform.io/providers/hashicorp/aws/5.78.0/docs/resources/cloudwatch_log_group) | resource | +| [aws_ecs_cluster.helix_authentication_service_cluster](https://registry.terraform.io/providers/hashicorp/aws/5.78.0/docs/resources/ecs_cluster) | resource | +| [aws_ecs_cluster_capacity_providers.helix_authentication_service_cluster_fargate_providers](https://registry.terraform.io/providers/hashicorp/aws/5.78.0/docs/resources/ecs_cluster_capacity_providers) | resource | +| [aws_ecs_service.helix_authentication_service](https://registry.terraform.io/providers/hashicorp/aws/5.78.0/docs/resources/ecs_service) | resource | +| [aws_ecs_task_definition.helix_authentication_service_task_definition](https://registry.terraform.io/providers/hashicorp/aws/5.78.0/docs/resources/ecs_task_definition) | resource | +| [aws_iam_policy.helix_authentication_service_default_policy](https://registry.terraform.io/providers/hashicorp/aws/5.78.0/docs/resources/iam_policy) | resource | +| [aws_iam_policy.helix_authentication_service_secrets_manager_policy](https://registry.terraform.io/providers/hashicorp/aws/5.78.0/docs/resources/iam_policy) | resource | +| [aws_iam_role.helix_authentication_service_default_role](https://registry.terraform.io/providers/hashicorp/aws/5.78.0/docs/resources/iam_role) | resource | +| [aws_iam_role.helix_authentication_service_task_execution_role](https://registry.terraform.io/providers/hashicorp/aws/5.78.0/docs/resources/iam_role) | resource | +| [aws_lb.helix_authentication_service_alb](https://registry.terraform.io/providers/hashicorp/aws/5.78.0/docs/resources/lb) | resource | +| [aws_lb_listener.helix_authentication_service_alb_https_listener](https://registry.terraform.io/providers/hashicorp/aws/5.78.0/docs/resources/lb_listener) | resource | +| [aws_lb_target_group.helix_authentication_service_alb_target_group](https://registry.terraform.io/providers/hashicorp/aws/5.78.0/docs/resources/lb_target_group) | resource | +| [aws_s3_bucket.helix_authentication_service_alb_access_logs_bucket](https://registry.terraform.io/providers/hashicorp/aws/5.78.0/docs/resources/s3_bucket) | resource | +| [aws_s3_bucket_lifecycle_configuration.access_logs_bucket_lifecycle_configuration](https://registry.terraform.io/providers/hashicorp/aws/5.78.0/docs/resources/s3_bucket_lifecycle_configuration) | resource | +| [aws_s3_bucket_policy.alb_access_logs_bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/5.78.0/docs/resources/s3_bucket_policy) | resource | +| [aws_s3_bucket_public_access_block.access_logs_bucket_public_block](https://registry.terraform.io/providers/hashicorp/aws/5.78.0/docs/resources/s3_bucket_public_access_block) | resource | +| [aws_security_group.helix_authentication_service_alb_sg](https://registry.terraform.io/providers/hashicorp/aws/5.78.0/docs/resources/security_group) | resource | +| [aws_security_group.helix_authentication_service_sg](https://registry.terraform.io/providers/hashicorp/aws/5.78.0/docs/resources/security_group) | resource | +| [aws_vpc_security_group_egress_rule.helix_authentication_service_alb_outbound_service](https://registry.terraform.io/providers/hashicorp/aws/5.78.0/docs/resources/vpc_security_group_egress_rule) | resource | +| [aws_vpc_security_group_egress_rule.helix_authentication_service_outbound_ipv4](https://registry.terraform.io/providers/hashicorp/aws/5.78.0/docs/resources/vpc_security_group_egress_rule) | resource | +| [aws_vpc_security_group_egress_rule.helix_authentication_service_outbound_ipv6](https://registry.terraform.io/providers/hashicorp/aws/5.78.0/docs/resources/vpc_security_group_egress_rule) | resource | +| [aws_vpc_security_group_ingress_rule.helix_authentication_service_inbound_alb](https://registry.terraform.io/providers/hashicorp/aws/5.78.0/docs/resources/vpc_security_group_ingress_rule) | resource | +| [awscc_secretsmanager_secret.helix_authentication_service_admin_password](https://registry.terraform.io/providers/hashicorp/awscc/1.22.0/docs/resources/secretsmanager_secret) | resource | +| [awscc_secretsmanager_secret.helix_authentication_service_admin_username](https://registry.terraform.io/providers/hashicorp/awscc/1.22.0/docs/resources/secretsmanager_secret) | resource | | [random_string.helix_authentication_service](https://registry.terraform.io/providers/hashicorp/random/3.6.3/docs/resources/string) | resource | | [random_string.helix_authentication_service_alb_access_logs_bucket_suffix](https://registry.terraform.io/providers/hashicorp/random/3.6.3/docs/resources/string) | resource | -| [aws_ecs_cluster.helix_authentication_service_cluster](https://registry.terraform.io/providers/hashicorp/aws/5.72.1/docs/data-sources/ecs_cluster) | data source | -| [aws_elb_service_account.main](https://registry.terraform.io/providers/hashicorp/aws/5.72.1/docs/data-sources/elb_service_account) | data source | -| [aws_iam_policy_document.access_logs_bucket_alb_write](https://registry.terraform.io/providers/hashicorp/aws/5.72.1/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.ecs_tasks_trust_relationship](https://registry.terraform.io/providers/hashicorp/aws/5.72.1/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.helix_authentication_service_default_policy](https://registry.terraform.io/providers/hashicorp/aws/5.72.1/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.helix_authentication_service_secrets_manager_policy](https://registry.terraform.io/providers/hashicorp/aws/5.72.1/docs/data-sources/iam_policy_document) | data source | -| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/5.72.1/docs/data-sources/region) | data source | +| [aws_ecs_cluster.helix_authentication_service_cluster](https://registry.terraform.io/providers/hashicorp/aws/5.78.0/docs/data-sources/ecs_cluster) | data source | +| [aws_elb_service_account.main](https://registry.terraform.io/providers/hashicorp/aws/5.78.0/docs/data-sources/elb_service_account) | data source | +| [aws_iam_policy_document.access_logs_bucket_alb_write](https://registry.terraform.io/providers/hashicorp/aws/5.78.0/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.ecs_tasks_trust_relationship](https://registry.terraform.io/providers/hashicorp/aws/5.78.0/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.helix_authentication_service_default_policy](https://registry.terraform.io/providers/hashicorp/aws/5.78.0/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.helix_authentication_service_secrets_manager_policy](https://registry.terraform.io/providers/hashicorp/aws/5.78.0/docs/data-sources/iam_policy_document) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/5.78.0/docs/data-sources/region) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [certificate\_arn](#input\_certificate\_arn) | The TLS certificate ARN for the Helix Authentication Service load balancer. | `string` | n/a | yes | +| [certificate\_arn](#input\_certificate\_arn) | The TLS certificate ARN for the Helix Authentication Service load balancer. | `string` | `null` | no | | [cluster\_name](#input\_cluster\_name) | The name of the cluster to deploy the Helix Authentication Service into. Defaults to null and a cluster will be created. | `string` | `null` | no | | [container\_cpu](#input\_container\_cpu) | The CPU allotment for the Helix Authentication Service container. | `number` | `1024` | no | | [container\_memory](#input\_container\_memory) | The memory allotment for the Helix Authentication Service container. | `number` | `4096` | no | | [container\_name](#input\_container\_name) | The name of the Helix Authentication Service container. | `string` | `"helix-auth-container"` | no | | [container\_port](#input\_container\_port) | The container port that Helix Authentication Service runs on. | `number` | `3000` | no | +| [create\_application\_load\_balancer](#input\_create\_application\_load\_balancer) | This flag controls the creation of an application load balancer as part of the module. | `bool` | `true` | no | | [create\_helix\_authentication\_service\_default\_policy](#input\_create\_helix\_authentication\_service\_default\_policy) | Optional creation of Helix Authentication Service default IAM Policy. Default is set to true. | `bool` | `true` | no | | [create\_helix\_authentication\_service\_default\_role](#input\_create\_helix\_authentication\_service\_default\_role) | Optional creation of Helix Authentication Service default IAM Role. Default is set to true. | `bool` | `true` | no | | [custom\_helix\_authentication\_service\_role](#input\_custom\_helix\_authentication\_service\_role) | ARN of the custom IAM Role you wish to use with Helix Authentication Service. | `string` | `null` | no | @@ -85,7 +86,7 @@ No modules. | [helix\_authentication\_service\_admin\_username\_secret\_arn](#input\_helix\_authentication\_service\_admin\_username\_secret\_arn) | Optionally provide the ARN of an AWS Secret for the Helix Authentication Service Administrator username. | `string` | `null` | no | | [helix\_authentication\_service\_alb\_access\_logs\_bucket](#input\_helix\_authentication\_service\_alb\_access\_logs\_bucket) | ID of the S3 bucket for Helix Authentication Service ALB access log storage. If access logging is enabled and this is null the module creates a bucket. | `string` | `null` | no | | [helix\_authentication\_service\_alb\_access\_logs\_prefix](#input\_helix\_authentication\_service\_alb\_access\_logs\_prefix) | Log prefix for Helix Authentication Service ALB access logs. If null the project prefix and module name are used. | `string` | `null` | no | -| [helix\_authentication\_service\_alb\_subnets](#input\_helix\_authentication\_service\_alb\_subnets) | A list of subnets to deploy the Helix Authentication Service load balancer into. Public subnets are recommended. | `list(string)` | n/a | yes | +| [helix\_authentication\_service\_alb\_subnets](#input\_helix\_authentication\_service\_alb\_subnets) | A list of subnets to deploy the Helix Authentication Service load balancer into. Public subnets are recommended. | `list(string)` | `[]` | no | | [helix\_authentication\_service\_cloudwatch\_log\_retention\_in\_days](#input\_helix\_authentication\_service\_cloudwatch\_log\_retention\_in\_days) | The log retention in days of the cloudwatch log group for Helix Authentication Service. | `string` | `365` | no | | [helix\_authentication\_service\_subnets](#input\_helix\_authentication\_service\_subnets) | A list of subnets to deploy the Helix Authentication Service into. Private subnets are recommended. | `list(string)` | n/a | yes | | [internal](#input\_internal) | Set this flag to true if you do not want the Helix Authentication Service load balancer to have a public IP. | `bool` | `false` | no | diff --git a/modules/perforce/helix-authentication-service/alb.tf b/modules/perforce/helix-authentication-service/alb.tf index 795c310..1b34aa4 100644 --- a/modules/perforce/helix-authentication-service/alb.tf +++ b/modules/perforce/helix-authentication-service/alb.tf @@ -2,6 +2,7 @@ # Load Balancer ################################################################################ resource "aws_lb" "helix_authentication_service_alb" { + count = var.create_application_load_balancer ? 1 : 0 name = "${local.name_prefix}-alb" internal = var.internal load_balancer_type = "application" @@ -9,11 +10,15 @@ resource "aws_lb" "helix_authentication_service_alb" { security_groups = concat(var.existing_security_groups, [aws_security_group.helix_authentication_service_alb_sg.id]) dynamic "access_logs" { - for_each = var.enable_helix_authentication_service_alb_access_logs ? [1] : [] + for_each = (var.create_application_load_balancer && var.enable_helix_authentication_service_alb_access_logs ? [1] : + []) content { enabled = var.enable_helix_authentication_service_alb_access_logs - bucket = var.helix_authentication_service_alb_access_logs_bucket != null ? var.helix_authentication_service_alb_access_logs_bucket : aws_s3_bucket.helix_authentication_service_alb_access_logs_bucket[0].id - prefix = var.helix_authentication_service_alb_access_logs_prefix != null ? var.helix_authentication_service_alb_access_logs_prefix : "${local.name_prefix}-alb" + bucket = (var.helix_authentication_service_alb_access_logs_bucket != null ? + var.helix_authentication_service_alb_access_logs_bucket : + aws_s3_bucket.helix_authentication_service_alb_access_logs_bucket[0].id) + prefix = (var.helix_authentication_service_alb_access_logs_prefix != null ? + var.helix_authentication_service_alb_access_logs_prefix : "${local.name_prefix}-alb") } } enable_deletion_protection = var.enable_helix_authentication_service_alb_deletion_protection @@ -26,14 +31,18 @@ resource "aws_lb" "helix_authentication_service_alb" { } resource "random_string" "helix_authentication_service_alb_access_logs_bucket_suffix" { - count = var.enable_helix_authentication_service_alb_access_logs && var.helix_authentication_service_alb_access_logs_bucket == null ? 1 : 0 + count = ( + var.create_application_load_balancer && var.enable_helix_authentication_service_alb_access_logs && var.helix_authentication_service_alb_access_logs_bucket == null + ? 1 : 0) length = 8 special = false upper = false } resource "aws_s3_bucket" "helix_authentication_service_alb_access_logs_bucket" { - count = var.enable_helix_authentication_service_alb_access_logs && var.helix_authentication_service_alb_access_logs_bucket == null ? 1 : 0 + count = ( + var.create_application_load_balancer && var.enable_helix_authentication_service_alb_access_logs && var.helix_authentication_service_alb_access_logs_bucket == null + ? 1 : 0) bucket = "${local.name_prefix}-alb-access-logs-${random_string.helix_authentication_service_alb_access_logs_bucket_suffix[0].result}" #checkov:skip=CKV_AWS_21: Versioning not necessary for access logs @@ -50,7 +59,9 @@ resource "aws_s3_bucket" "helix_authentication_service_alb_access_logs_bucket" { data "aws_elb_service_account" "main" {} data "aws_iam_policy_document" "access_logs_bucket_alb_write" { - count = var.enable_helix_authentication_service_alb_access_logs && var.helix_authentication_service_alb_access_logs_bucket == null ? 1 : 0 + count = ( + var.create_application_load_balancer && var.enable_helix_authentication_service_alb_access_logs && var.helix_authentication_service_alb_access_logs_bucket == null + ? 1 : 0) statement { effect = "Allow" actions = ["s3:PutObject"] @@ -58,19 +69,26 @@ data "aws_iam_policy_document" "access_logs_bucket_alb_write" { type = "AWS" identifiers = [data.aws_elb_service_account.main.arn] } - resources = ["${var.helix_authentication_service_alb_access_logs_bucket != null ? var.helix_authentication_service_alb_access_logs_bucket : aws_s3_bucket.helix_authentication_service_alb_access_logs_bucket[0].arn}/${var.helix_authentication_service_alb_access_logs_prefix != null ? var.helix_authentication_service_alb_access_logs_prefix : "${local.name_prefix}-alb"}/*" + resources = [ + "${var.helix_authentication_service_alb_access_logs_bucket != null ? var.helix_authentication_service_alb_access_logs_bucket : aws_s3_bucket.helix_authentication_service_alb_access_logs_bucket[0].arn}/${var.helix_authentication_service_alb_access_logs_prefix != null ? var.helix_authentication_service_alb_access_logs_prefix : "${local.name_prefix}-alb"}/*" ] } } resource "aws_s3_bucket_policy" "alb_access_logs_bucket_policy" { - count = var.enable_helix_authentication_service_alb_access_logs && var.helix_authentication_service_alb_access_logs_bucket == null ? 1 : 0 - bucket = var.helix_authentication_service_alb_access_logs_bucket == null ? aws_s3_bucket.helix_authentication_service_alb_access_logs_bucket[0].id : var.helix_authentication_service_alb_access_logs_bucket + count = ( + var.create_application_load_balancer && var.enable_helix_authentication_service_alb_access_logs && var.helix_authentication_service_alb_access_logs_bucket == null + ? 1 : 0) + bucket = (var.helix_authentication_service_alb_access_logs_bucket == null ? + aws_s3_bucket.helix_authentication_service_alb_access_logs_bucket[0].id : + var.helix_authentication_service_alb_access_logs_bucket) policy = data.aws_iam_policy_document.access_logs_bucket_alb_write[0].json } resource "aws_s3_bucket_lifecycle_configuration" "access_logs_bucket_lifecycle_configuration" { - count = var.enable_helix_authentication_service_alb_access_logs && var.helix_authentication_service_alb_access_logs_bucket == null ? 1 : 0 + count = ( + var.create_application_load_balancer && var.enable_helix_authentication_service_alb_access_logs && var.helix_authentication_service_alb_access_logs_bucket == null + ? 1 : 0) depends_on = [ aws_s3_bucket.helix_authentication_service_alb_access_logs_bucket[0] ] @@ -92,7 +110,9 @@ resource "aws_s3_bucket_lifecycle_configuration" "access_logs_bucket_lifecycle_c } resource "aws_s3_bucket_public_access_block" "access_logs_bucket_public_block" { - count = var.enable_helix_authentication_service_alb_access_logs && var.helix_authentication_service_alb_access_logs_bucket == null ? 1 : 0 + count = ( + var.create_application_load_balancer && var.enable_helix_authentication_service_alb_access_logs && var.helix_authentication_service_alb_access_logs_bucket == null + ? 1 : 0) depends_on = [ aws_s3_bucket.helix_authentication_service_alb_access_logs_bucket[0] ] @@ -127,7 +147,8 @@ resource "aws_lb_target_group" "helix_authentication_service_alb_target_group" { # HTTPS listener for helix_authentication_service ALB resource "aws_lb_listener" "helix_authentication_service_alb_https_listener" { - load_balancer_arn = aws_lb.helix_authentication_service_alb.arn + count = var.create_application_load_balancer ? 1 : 0 + load_balancer_arn = aws_lb.helix_authentication_service_alb[0].arn port = "443" protocol = "HTTPS" ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06" diff --git a/modules/perforce/helix-authentication-service/outputs.tf b/modules/perforce/helix-authentication-service/outputs.tf index 108f896..e908577 100644 --- a/modules/perforce/helix-authentication-service/outputs.tf +++ b/modules/perforce/helix-authentication-service/outputs.tf @@ -16,12 +16,12 @@ output "cluster_name" { output "alb_dns_name" { description = "The DNS name of the Helix Authentication Service ALB" - value = aws_lb.helix_authentication_service_alb.dns_name + value = var.create_application_load_balancer ? aws_lb.helix_authentication_service_alb[0].dns_name : null } output "alb_zone_id" { description = "The hosted zone ID of the Helix Authentication Service ALB" - value = aws_lb.helix_authentication_service_alb.zone_id + value = var.create_application_load_balancer ? aws_lb.helix_authentication_service_alb[0].zone_id : null } output "target_group_arn" { diff --git a/modules/perforce/helix-authentication-service/variables.tf b/modules/perforce/helix-authentication-service/variables.tf index e365b2b..f2d60fd 100644 --- a/modules/perforce/helix-authentication-service/variables.tf +++ b/modules/perforce/helix-authentication-service/variables.tf @@ -106,9 +106,21 @@ variable "enable_web_based_administration" { } # - Load Balancer - +variable "create_application_load_balancer" { + type = bool + default = true + description = "This flag controls the creation of an application load balancer as part of the module." +} + variable "helix_authentication_service_alb_subnets" { type = list(string) description = "A list of subnets to deploy the Helix Authentication Service load balancer into. Public subnets are recommended." + default = [] + validation { + condition = (length(var.helix_authentication_service_alb_subnets) > 0) == var.create_application_load_balancer + error_message = "Subnets are only necessary if the create_application_load_balancer variable is set." + } + } variable "enable_helix_authentication_service_alb_access_logs" { @@ -155,6 +167,11 @@ variable "internal" { variable "certificate_arn" { type = string description = "The TLS certificate ARN for the Helix Authentication Service load balancer." + default = null + validation { + condition = var.create_application_load_balancer == (var.certificate_arn != null) + error_message = "The certificate_arn variable must be set if and only if the create_application_load_balancer variable is set." + } } # - Logging -