-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathvariables.tf
106 lines (91 loc) · 4.48 KB
/
variables.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
variable "aws_sso_instance_arn" {
type = string
description = "AWS SSO Instance ARN. Needs to be of the form arn:aws:sso:::instance/ssoins-xxxxxxxxxxxxxxx. Setup instructions https://docs.meshcloud.io/docs/meshstack.aws.sso-setup.html."
}
variable "control_tower_enrollment_enabled" {
type = bool
default = false
description = "Set to true, to allow meshStack to enroll Accounts via AWS Control Tower for the meshPlatform."
}
variable "control_tower_portfolio_id" {
type = string
default = ""
description = "Must be set for AWS Control Tower"
}
variable "replicator_privileged_external_id" {
type = string
description = "Set this variable to a random UUID version 4. The external id is a secondary key to make an AssumeRole API call."
# validation {
# condition = can(regex("^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$", var.replicator_privileged_external_id))
# error_message = "Must be a valid UUID version 4."
# }
}
variable "cost_explorer_privileged_external_id" {
type = string
description = "Set this variable to a random UUID version 4. The external id is a secondary key to make an AssumeRole API call."
# validation {
# condition = can(regex("^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-4[0-9A-Fa-f]{3}-[89ABab][0-9A-Fa-f]{3}-[0-9A-Fa-f]{12}$", var.cost_explorer_privileged_external_id))
# error_message = "Must be a valid UUID version 4."
# }
}
variable "landing_zone_ou_arns" {
type = list(string)
description = "Organizational Unit ARNs that are used in Landing Zones. We recommend to explicitly list the OU ARNs that meshStack should manage."
default = ["arn:aws:organizations::*:ou/o-*/ou-*"]
}
variable "can_close_accounts_in_resource_org_paths" {
type = list(string)
// see https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourceorgpaths
description = "AWS ResourceOrgPaths that are used in Landing Zones and where meshStack is allowed to close accounts."
default = [] // example: o-a1b2c3d4e5/r-f6g7h8i9j0example/ou-ghi0-awsccccc/ou-jkl0-awsddddd/
}
# ---------------------------------------------------------------------------------------------------------------------
# OPTIONAL PARAMETERS
# These parameters have reasonable defaults.
# ---------------------------------------------------------------------------------------------------------------------
variable "meshcloud_account_service_user_name" {
type = string
default = "meshfed-service-user"
description = "Name of the meshfed-service user. This user is responsible for replication."
}
variable "management_account_service_role_name" {
type = string
default = "MeshfedServiceRole"
description = "Name of the custom role in the management account. See https://docs.meshcloud.io/docs/meshstack.how-to.integrate-meshplatform-aws-manually.html#set-up-aws-account-2-management"
}
variable "automation_account_service_role_name" {
type = string
default = "MeshfedAutomationRole"
description = "Name of the custom role in the automation account. See https://docs.meshcloud.io/docs/meshstack.how-to.integrate-meshplatform-aws-manually.html#set-up-aws-account-3-automation"
}
variable "cost_explorer_management_account_service_role_name" {
type = string
default = "MeshCostExplorerServiceRole"
description = "Name of the custom role in the management account used by the cost explorer user."
}
variable "cost_explorer_meshcloud_account_service_user_name" {
type = string
default = "meshcloud-cost-explorer-user"
description = "Name of the user using cost explorer service to collect metering data."
}
variable "support_root_account_via_aws_sso" {
type = bool
default = false
description = "Set to true to allow meshStack to manage the Organization's AWS Root account's access via AWS SSO."
}
variable "create_access_keys" {
type = bool
default = true
description = "Set to false to disable creation of any service account access keys."
}
variable "workload_identity_federation" {
type = object({
issuer = string,
audience = string,
thumbprint = string,
replicator_subject = string,
kraken_subject = string
})
default = null
description = "Set these options to add a trusted identity provider from meshStack to allow workload identity federation for authentication which can be used instead of access keys."
}