-
Notifications
You must be signed in to change notification settings - Fork 1.7k
/
vars.tf
135 lines (114 loc) · 3.56 KB
/
vars.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
// Region is AWS region, the region should support EFS
variable "region" {
type = string
}
// Teleport cluster name to set up
variable "cluster_name" {
type = string
}
// Path to Teleport Enterprise license file
variable "license_path" {
type = string
default = ""
}
// AMI name to use
variable "ami_name" {
type = string
}
// DNS and Let's Encrypt integration variables
// Zone name to host DNS record, e.g. example.com
variable "route53_zone" {
type = string
}
// Domain name to use for Teleport proxy,
// e.g. proxy.example.com
variable "route53_domain" {
type = string
}
// Whether to add a wildcard entry *.proxy.example.com for application access
variable "add_wildcard_route53_record" {
type = bool
}
// whether to enable the mongodb listener
// adds security group setting, maps load balancer to port, and adds to teleport config
variable "enable_mongodb_listener" {
type = bool
default = false
}
// whether to enable the mysql listener
// adds security group setting, maps load balancer to port, and adds to teleport config
variable "enable_mysql_listener" {
type = bool
default = false
}
// whether to enable the postgres listener
// adds security group setting, maps load balancer to port, and adds to teleport config
variable "enable_postgres_listener" {
type = bool
default = false
}
// S3 Bucket to create for encrypted Let's Encrypt certificates
variable "s3_bucket_name" {
type = string
}
// Email for Let's Encrypt domain registration
variable "email" {
type = string
}
// SSH key name to provision instances with
variable "key_name" {
type = string
}
// Whether to use Let's Encrypt-issued certificates
variable "use_letsencrypt" {
type = bool
}
// Whether to use Amazon-issued certificates via ACM or not
// This must be set to true for any use of ACM whatsoever, regardless of whether Terraform generates/approves the cert
variable "use_acm" {
type = bool
default = false
}
// Whether to enable TLS routing in the cluster
// See https://goteleport.com/docs/architecture/tls-routing for more information
// Setting this will disable ALL separate listener ports. If you also use ACM, then:
// - you must use Teleport and tsh v13+
// - you must use `tsh proxy` commands for Kubernetes/database access
variable "use_tls_routing" {
type = bool
default = false
}
// CIDR blocks allowed to connect to the SSH port
variable "allowed_ssh_ingress_cidr_blocks" {
type = list(any)
default = ["0.0.0.0/0"]
}
// CIDR blocks allowed for ingress for all Teleport ports
variable "allowed_ingress_cidr_blocks" {
type = list(any)
default = ["0.0.0.0/0"]
}
// CIDR blocks allowed for egress from Teleport
variable "allowed_egress_cidr_blocks" {
type = list(any)
default = ["0.0.0.0/0"]
}
variable "kms_alias_name" {
type = string
default = "alias/aws/ssm"
}
// Instance type for cluster
variable "cluster_instance_type" {
type = string
}
// (optional) Change the default authentication type used for the Teleport cluster.
// See https://goteleport.com/docs/reference/authentication for more information.
// This is useful for persisting a different default authentication type across AMI upgrades when you have a SAML, OIDC
// or GitHub connector configured in DynamoDB. The default if not set is "local".
// Teleport Community Edition supports "local" or "github"
// Teleport Enterprise Edition supports "local", "github", "oidc" or "saml"
// Teleport Enterprise FIPS deployments have local authentication disabled, so should use "github", "oidc" or "saml"
variable "teleport_auth_type" {
type = string
default = "local"
}