-
Notifications
You must be signed in to change notification settings - Fork 0
/
variables.tf
144 lines (130 loc) · 5.81 KB
/
variables.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
variable "resource_group_name" {
description = "Resource group name"
type = string
}
variable "location" {
description = "Azure Region"
type = string
}
variable "names" {
description = "Names to be applied to resources"
type = map(string)
}
variable "tags" {
description = "Tags to be applied to resources"
type = map(string)
}
variable "naming_rules" {
description = "naming conventions yaml file"
type = string
default = ""
}
variable "enforce_subnet_names" {
description = "enforce subnet names based on naming_rules variable"
type = bool
default = true
}
# Networking
variable "address_space" {
description = "CIDRs for virtual network"
type = list(string)
}
variable "dns_servers" {
description = "If applicable, a list of custom DNS servers to use inside your virtual network. Unset will use default Azure-provided resolver"
type = list(string)
default = null
}
variable "subnets" {
description = "Map of subnets. Keys are subnet names, Allowed values are the same as for subnet_defaults"
type = any
default = {}
validation {
condition = (length(compact([for subnet in var.subnets : (!lookup(subnet, "configure_nsg_rules", true) &&
(contains(keys(subnet), "allow_internet_outbound") ||
contains(keys(subnet), "allow_lb_inbound") ||
contains(keys(subnet), "allow_vnet_inbound") ||
contains(keys(subnet), "allow_vnet_outbound")) ?
"invalid" : "")])) == 0)
error_message = "Subnet rules not allowed when configure_nsg_rules is set to \"false\"."
}
}
variable "aks_subnets" {
description = "AKS subnets"
type = map(object({
subnet_info = any
route_table = object({
disable_bgp_route_propagation = bool
routes = map(map(string))
# keys are route names, value map is route properties (address_prefix, next_hop_type, next_hop_in_ip_address)
# https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/route_table#route
})
}))
default = null
}
variable "subnet_defaults" {
description = "Maps of CIDRs, policies, endpoints and delegations"
type = object({
cidrs = list(string)
private_endpoint_network_policies_enabled = bool
private_link_service_network_policies_enabled = bool
service_endpoints = list(string)
delegations = map(object({
name = string
actions = list(string)
}))
create_network_security_group = bool # create/associate network security group with subnet
configure_nsg_rules = bool # deny ingress/egress traffic and configure nsg rules based on below parameters
allow_internet_outbound = bool # allow outbound traffic to internet (configure_nsg_rules must be set to true)
allow_lb_inbound = bool # allow inbound traffic from Azure Load Balancer (configure_nsg_rules must be set to true)
allow_vnet_inbound = bool # allow all inbound from virtual network (configure_nsg_rules must be set to true)
allow_vnet_outbound = bool # allow all outbound from virtual network (configure_nsg_rules must be set to true)
route_table_association = string
})
default = {
cidrs = []
private_endpoint_network_policies_enabled = true
private_link_service_network_policies_enabled = true
service_endpoints = []
delegations = {}
create_network_security_group = true
configure_nsg_rules = true
allow_internet_outbound = false
allow_lb_inbound = false
allow_vnet_inbound = false
allow_vnet_outbound = false
route_table_association = null
}
}
variable "route_tables" {
description = "Maps of route tables"
type = map(object({
disable_bgp_route_propagation = bool
use_inline_routes = bool # Setting to true will revert any external route additions.
routes = map(map(string))
# keys are route names, value map is route properties (address_prefix, next_hop_type, next_hop_in_ip_address)
# https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/route_table#route
}))
default = {}
}
variable "peers" {
description = "Peer virtual networks. Keys are names, allowed values are same as for peer_defaults. Id value is required."
type = any
default = {}
}
variable "peer_defaults" {
description = "Maps of peer arguments."
type = object({
id = string
allow_virtual_network_access = bool
allow_forwarded_traffic = bool
allow_gateway_transit = bool
use_remote_gateways = bool
})
default = {
id = null # remote virtual network id
allow_virtual_network_access = true # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network_peering#allow_virtual_network_access
allow_forwarded_traffic = false # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network_peering#allow_forwarded_traffic
allow_gateway_transit = false # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network_peering#allow_gateway_transit
use_remote_gateways = false # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network_peering#use_remote_gateways
}
}