-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathvariables.tf
389 lines (324 loc) · 10.9 KB
/
variables.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
variable "stage" {
type = string
default = ""
description = "The stage the cluster will be deployed for"
}
variable "namespace" {
type = string
default = ""
description = "Namespace the cluster belongs to"
}
variable "attributes" {
type = list
default = []
description = "Additional attributes (e.g. `eu1`)"
}
variable "tags" {
type = map(string)
default = {}
description = "Additional tags (e.g. map(`BusinessUnit`,`XYZ`)"
}
variable "delimiter" {
type = string
default = "-"
description = "Delimiter to be used between `namespace`, `stage`, `name` and `attributes`"
}
variable "region" {
type = string
description = "The own region identifier for this deployment"
}
variable "kubernetes_version" {
type = string
default = "1.18.8"
description = "The kubernetes version to deploy"
}
variable "instance_groups" {
type = list
description = "Instance groups to create. The masters are included by default. You will need to configure at least one additional node group"
}
variable "master_machine_type" {
type = string
default = "m5.large"
description = "The AWS instance type to use for the masters"
}
variable "masters_instance_count" {
type = number
default = 5
description = "Number of master nodes to create. Suggesting at least 5 to support failover of 2 masters"
}
variable "etcd_version" {
type = string
default = "3.4.3"
description = "Version of etcd to use for kubernetes backend"
}
variable "etcd_events_storage_type" {
type = string
default = "gp2"
description = "Storage type to use for the etcd events volume. If required you may use io1"
}
variable "etcd_events_storage_size" {
type = number
default = 64
description = "Amount of Storage for event volumes"
}
variable "etcd_events_storage_iops" {
type = number
default = 0
description = "Additional IOPS for event volumes"
}
variable "etcd_main_storage_type" {
type = string
default = "gp2"
description = "Storage type to use for the etcd events volume"
}
variable "etcd_main_storage_size" {
type = number
default = 48
description = "Amount of Storage for main volumes"
}
variable "etcd_main_storage_iops" {
type = number
default = 0
description = "Additional IOPS for main volumes"
}
variable "masters_spot_enabled" {
type = bool
default = false
description = "If set to true creates spot requests for master instances"
}
variable "masters_spot_on_demand" {
type = number
default = 2
description = "Minimum on demand instances for masters to avoid service interruption when multiple spot instances go away at the same time"
}
variable "enable_pod_security_policies" {
type = bool
default = false
description = "Enables the PodSecurityPolicy admission controller. Kops will deploy kube-system PSP and Binding"
}
variable "bastion_machine_type" {
type = string
default = "t2.micro"
description = "The AWS instance type to use for the bastions"
}
variable "bastion_default_instance_count" {
type = number
default = 1
description = "Number of default instances for the bastion. Supported are currently 0 or 1"
}
variable "max_availability_zones" {
type = number
default = 3
description = "Maximum availability zones to span with this cluster. We currently only support 3!!"
}
variable "require_one_node" {
type = bool
default = false
description = "If minSize of all worker instance group is set to 0 but at least one node is required. If you need one node in each AZ set minSize from one of your instance groups to 1"
}
variable "max_mutating_requests_in_flight" {
type = number
default = 600
description = "Max requests in flight mutating API objects. Depends on the machine type and count for masters, as well as IOPS of etcd volumes"
}
variable "max_requests_in_flight" {
type = number
default = 1000
description = "Max requests in flight reading API objects. Depends on the machine type and count for masters, as well as IOPS of etcd volumes"
}
variable "kops_addons" {
type = list(string)
default = []
description = "Additional kops addons to include in the cluster manifest"
}
variable "enable_kops_validation" {
type = bool
default = true
description = "Useful if you want to wait for cluster to start up, deploy further things and then validate the clusters health. In that case set the validation to false"
}
variable "custom_s3_policies" {
type = list
default = []
description = "Custom policies to attach to the kops s3 state bucket. You can specify readonly (true, Get* and List*), actions ([*]), resources (bucket) and principals"
}
variable "secrets_path" {
type = string
default = "/secrets/tf"
description = "Path to put CA and SSH keys into"
}
variable "ssh_access_cidrs" {
type = list(string)
default = []
description = "Allowed CIDRs for SSH access"
}
variable "api_access_cidrs" {
type = list(string)
default = []
description = "Allowed CIDRs to acces kubernetes master API"
}
variable "create_public_api_record" {
type = bool
default = false
description = "Creates a public API record and grants 0.0.0.0/0 on the API LB security group. This is useful in scenarios where you want to use private dns but make the API server accessible using a public hosted zone"
}
variable "public_record_name" {
type = string
default = ""
description = "Subdomain to use for the additional public record pointing to the master API"
}
variable "cluster_dns" {
type = string
default = ""
description = "The DNS zone to use for the cluster if it differs from cluster name"
}
variable "cluster_dns_type" {
type = string
default = "Private"
description = "The topology for the cluster dns zone (Private or Public)"
}
variable "tf_bucket" {
type = string
default = ""
description = "The Bucket name to load remote state from"
}
variable "additional_master_policies" {
type = string
default = ""
description = "Additional policy documents to attach to the masters (Effect, Action, Resource policy as JSON list)"
}
variable "external_master_policies" {
type = list(string)
default = []
description = "Additional policy ARNs to attach to the master role"
}
variable "bastion_public_name" {
type = string
default = "bastion"
description = "Set to any subdomain name of your cluster dns to create a public dns entry for your bastion"
}
variable "acm_module_state" {
type = string
default = ""
description = "The key or path to the state where a VPC module was installed. It must expose a certificate_arn"
}
variable "dns_module_state" {
type = string
default = ""
description = "The key or path to the state where a DNS module was installed. It must expose a domain_name. If acm_module_state and certificate_arn are not set we try to get the certificate_arn from this module"
}
variable "certificate_arn" {
type = string
default = ""
description = "The ACM Certificate ARN to use if acm_module_state is not set"
}
variable "vpc_module_state" {
type = string
default = ""
description = "The key or path to the state where a VPC module was installed. It must expose a vpc_id and public_ as well as private_subnet_ids"
}
variable "vpc_id" {
type = string
default = ""
description = "The VPC ID to use if vpc_module_state is not set"
}
variable "vpc_cidr" {
type = string
default = ""
description = "The VPC CIDR to use if vpc_module_state is not set"
}
variable "public_subnet_ids" {
type = list(string)
default = []
description = "List of public subnet ids. Can be read from vpc remote state"
}
variable "private_subnet_ids" {
type = list(string)
default = []
description = "List of private subnet ids. Can be read from vpc remote state"
}
variable "public_subnet_cidrs" {
type = list(string)
default = []
description = "List of public subnet cidrs. Can be read from vpc remote state"
}
variable "private_subnet_cidrs" {
type = list(string)
default = []
description = "List of private subnet cidrs. Can be read from vpc remote state"
}
variable "aws_region" {
type = string
default = ""
description = "The AWS region the cluster will be deployed into if the target is not the current region"
}
variable "aws_account_id" {
type = string
default = ""
description = "AWS Account ID. Defaults to current Account ID"
}
# Workaround for https://github.com/terraform-providers/terraform-provider-aws/issues/8242
variable "external_account" {
type = bool
default = false
description = "Whether kops is deployed into a different AWS account. Required to provide kops access to this account"
}
variable "kops_auth_method" {
type = string
default = "kubecfg"
description = "Method for kops to use to authenticate. This is to support kops authentication via OIDC Access Token to avoid basic credentials for Kube API Server"
}
variable "kops_auth_always" {
type = bool
default = true
description = "Creates a diff for kops auth resources and creates a new kubecgf on each run. If set to false the kubecfg will be generated only once"
}
variable "openid_connect_enabled" {
type = bool
default = false
description = "If set to true requires all other oidc_ prefixed variables to be set to configure OpenID connect on the Kubernetes API Server"
}
variable "oidc_issuer_url" {
type = string
default = ""
description = "The issue URL of the OIDC token issuer"
}
variable "oidc_client_id" {
type = string
default = ""
description = "The client ID for the API to use"
}
variable "oidc_username_claim" {
type = string
default = ""
description = "The field representing the claim with username set"
}
variable "oidc_username_prefix" {
type = string
default = ""
description = "A prefix to identify username claim (eg. oicd:)"
}
variable "oidc_groups_claim" {
type = string
default = ""
description = "The field representing the claim with groups defined"
}
variable "oidc_groups_prefix" {
type = string
default = ""
description = "A prefix to identify group claim (eg. oicd:)"
}
variable "oidc_ca_file" {
type = string
default = ""
description = "Must be a path on the local file system containing the CA file"
}
variable "oidc_ca_content" {
type = string
default = ""
description = "Full content of the OIDC signing certificate"
}
variable "oidc_required_claims" {
type = list(object({ key = string, value = string }))
default = []
description = "Required claims which must be set to allow access"
}