forked from cloudposse/terraform-aws-eks-cluster
-
Notifications
You must be signed in to change notification settings - Fork 0
/
variables.tf
207 lines (173 loc) · 6.55 KB
/
variables.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
variable "region" {
type = string
description = "AWS Region"
}
variable "vpc_id" {
type = string
description = "VPC ID for the EKS cluster"
}
variable "subnet_ids" {
description = "A list of subnet IDs to launch the cluster in"
type = list(string)
}
variable "security_group_enabled" {
type = bool
description = "Whether to create default Security Group for EKS cluster."
default = true
}
variable "security_group_description" {
type = string
default = "Security Group for EKS cluster"
description = "The Security Group description."
}
variable "security_group_use_name_prefix" {
type = bool
default = false
description = "Whether to create a default Security Group with unique name beginning with the normalized prefix."
}
variable "security_group_rules" {
type = list(any)
default = [
{
type = "egress"
from_port = 0
to_port = 65535
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
description = "Allow all outbound traffic"
}
]
description = <<-EOT
A list of maps of Security Group rules.
The values of map is fully complated with `aws_security_group_rule` resource.
To get more info see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule .
EOT
}
variable "security_groups" {
type = list(string)
default = []
description = "A list of Security Group IDs to associate with EKS cluster."
}
variable "eks_cluster_service_role_arn" {
type = string
description = "The ARN of an externally created EKS service role to use, or leave blank to create one"
default = null
}
variable "workers_role_arns" {
type = list(string)
description = "List of Role ARNs of the worker nodes"
default = []
}
variable "kubernetes_version" {
type = string
default = "1.15"
description = "Desired Kubernetes master version. If you do not specify a value, the latest available version is used"
}
variable "oidc_provider_enabled" {
type = bool
default = false
description = "Create an IAM OIDC identity provider for the cluster, then you can create IAM roles to associate with a service account in the cluster, instead of using kiam or kube2iam. For more information, see https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html"
}
variable "endpoint_private_access" {
type = bool
default = false
description = "Indicates whether or not the Amazon EKS private API server endpoint is enabled. Default to AWS EKS resource and it is false"
}
variable "endpoint_public_access" {
type = bool
default = true
description = "Indicates whether or not the Amazon EKS public API server endpoint is enabled. Default to AWS EKS resource and it is true"
}
variable "public_access_cidrs" {
type = list(string)
default = ["0.0.0.0/0"]
description = "Indicates which CIDR blocks can access the Amazon EKS public API server endpoint when enabled. EKS defaults this to a list with 0.0.0.0/0."
}
variable "enabled_cluster_log_types" {
type = list(string)
default = []
description = "A list of the desired control plane logging to enable. For more information, see https://docs.aws.amazon.com/en_us/eks/latest/userguide/control-plane-logs.html. Possible values [`api`, `audit`, `authenticator`, `controllerManager`, `scheduler`]"
}
variable "cluster_log_retention_period" {
type = number
default = 0
description = "Number of days to retain cluster logs. Requires `enabled_cluster_log_types` to be set. See https://docs.aws.amazon.com/en_us/eks/latest/userguide/control-plane-logs.html."
}
variable "apply_config_map_aws_auth" {
type = bool
default = true
description = "Whether to apply the ConfigMap to allow worker nodes to join the EKS cluster and allow additional users, accounts and roles to acces the cluster"
}
variable "map_additional_aws_accounts" {
description = "Additional AWS account numbers to add to `config-map-aws-auth` ConfigMap"
type = list(string)
default = []
}
variable "map_additional_iam_roles" {
description = "Additional IAM roles to add to `config-map-aws-auth` ConfigMap"
type = list(object({
rolearn = string
username = string
groups = list(string)
}))
default = []
}
variable "map_additional_iam_users" {
description = "Additional IAM users to add to `config-map-aws-auth` ConfigMap"
type = list(object({
userarn = string
username = string
groups = list(string)
}))
default = []
}
variable "local_exec_interpreter" {
type = list(string)
default = ["/bin/sh", "-c"]
description = "shell to use for local_exec"
}
variable "wait_for_cluster_command" {
type = string
default = "curl --silent --fail --retry 60 --retry-delay 5 --retry-connrefused --insecure --output /dev/null $ENDPOINT/healthz"
description = "`local-exec` command to execute to determine if the EKS cluster is healthy. Cluster endpoint are available as environment variable `ENDPOINT`"
}
variable "kubernetes_config_map_ignore_role_changes" {
type = bool
default = true
description = "Set to `true` to ignore IAM role changes in the Kubernetes Auth ConfigMap"
}
variable "cluster_encryption_config_enabled" {
type = bool
default = true
description = "Set to `true` to enable Cluster Encryption Configuration"
}
variable "cluster_encryption_config_kms_key_id" {
type = string
default = ""
description = "KMS Key ID to use for cluster encryption config"
}
variable "cluster_encryption_config_kms_key_enable_key_rotation" {
type = bool
default = true
description = "Cluster Encryption Config KMS Key Resource argument - enable kms key rotation"
}
variable "cluster_encryption_config_kms_key_deletion_window_in_days" {
type = number
default = 10
description = "Cluster Encryption Config KMS Key Resource argument - key deletion windows in days post destruction"
}
variable "cluster_encryption_config_kms_key_policy" {
type = string
default = null
description = "Cluster Encryption Config KMS Key Resource argument - key policy"
}
variable "cluster_encryption_config_resources" {
type = list(any)
default = ["secrets"]
description = "Cluster Encryption Config Resources to encrypt, e.g. ['secrets']"
}
variable "permissions_boundary" {
type = string
default = null
description = "If provided, all IAM roles will be created with this permissions boundary attached."
}