forked from memes/terraform-google-secret-manager
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathvariables.tf
196 lines (178 loc) · 6.75 KB
/
variables.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
variable "project_id" {
type = string
validation {
condition = can(regex("^[a-z][a-z0-9-]{4,28}[a-z0-9]$", var.project_id))
error_message = "The project_id must be a string of alphanumeric or hyphens, between 6 and 3o characters in length."
}
description = <<EOD
The GCP project identifier where the secret will be created.
EOD
}
variable "id" {
type = string
validation {
condition = can(regex("^[a-zA-Z0-9_-]{1,255}$", var.id))
error_message = "The id must be a string of alphanumeric, hyphen, and underscore characters, and upto 255 characters in length."
}
description = <<EOD
The secret identifier to create; this value must be unique within the project.
EOD
}
variable "replication_locations" {
type = list(string)
default = []
description = <<EOD
An optional list of replication locations for the secret. If the value is an
empty list (default) then an automatic replication policy will be applied. Use
this if you must have replication constrained to specific locations.
E.g. to use automatic replication policy (default)
replication_locations = []
E.g. to force secrets to be replicated only in us-east1 and us-west1 regions:
replication_locations = [ "us-east1", "us-west1" ]
EOD
}
variable "replication_keys" {
type = map(string)
default = {}
description = <<EOD
An optional map of customer managed keys per location. This needs to match the
locations specified in `replication_locations`.
E.g. replication_keys = { "us-east1": "my-key-name", "us-west1": "another-key-name" }
EOD
# We cannot use the following validation because we cannot reference other variables
# validation {
# condition = can([for k in var.replication_keys : contains(var.replication_locations, k)])
# error_message = "Each location in replication_keys must be defined in replication_locations"
# }
}
variable "accessors" {
type = list(string)
default = []
validation {
condition = length(join("", [for acct in var.accessors : can(regex("^(?:group|serviceAccount|user):[^@]+@[^@]*$", acct)) ? "x" : ""])) == length(var.accessors)
error_message = "Each accessors value must be a valid IAM account identifier; e.g. user:jdoe@company.com, group:admins@company.com, serviceAccount:service@project.iam.gserviceaccount.com."
}
description = <<EOD
An optional list of IAM account identifiers that will be granted accessor (read-only)
permission to the secret.
EOD
}
variable "labels" {
type = map(string)
default = {}
description = <<EOD
An optional map of label key:value pairs to assign to the secret resources.
Default is an empty map.
EOD
}
variable "length" {
type = number
default = 16
validation {
condition = floor(var.length) == var.length && var.length >= 1
error_message = "Generated secret length must be an integer greater than zero."
}
description = <<EOD
The length of the random string to generate for secret value. Default is 16.
EOD
}
variable "has_upper_chars" {
type = bool
default = true
description = <<EOD
Include uppercase alphabet characters in the generated secret. Default is true;
set to false to exclude generating a secret containing uppercase characters.
EOD
}
variable "min_upper_chars" {
type = number
default = 0
validation {
condition = floor(var.min_upper_chars) == var.min_upper_chars && var.min_upper_chars >= 0
error_message = "Generated secret min_upper_chars must be an integer >= 0."
}
description = <<EOD
The minimum number of uppercase characters to include in the generated secret.
Default is 0, which allows the randomiser logic to exclude uppercase characters
if needed to satisfy other `min_` rules. Note that setting to 0 will not
guarantee uppercase characters will be excluded - set `has_upper_chars` to false
to exclude uppercase characters from generated secret.
EOD
}
variable "has_lower_chars" {
type = bool
default = true
description = <<EOD
Include lowercase alphabet characters in the generated secret. Default is true;
set to false to exclude generating a secret containing lowercase characters.
EOD
}
variable "min_lower_chars" {
type = number
default = 0
validation {
condition = floor(var.min_lower_chars) == var.min_lower_chars && var.min_lower_chars >= 0
error_message = "Generated secret min_lower_chars must be an integer >= 0."
}
description = <<EOD
The minimum number of lowercase characters to include in the generated secret.
Default is 0, which allows the randomiser logic to exclude lowercase characters
if needed to satisfy other `min_` rules. Note that setting to 0 will not
guarantee lowercase characters will be excluded - set `has_lower_chars` to false
to exclude lowercase characters from generated secret.
EOD
}
variable "has_numeric_chars" {
type = bool
default = true
description = <<EOD
Include numeric characters in the generated secret. Default is true;
set to false to exclude generating a secret containing numeric characters.
EOD
}
variable "min_numeric_chars" {
type = number
default = 0
validation {
condition = floor(var.min_numeric_chars) == var.min_numeric_chars && var.min_numeric_chars >= 0
error_message = "Generated secret min_numeric_chars must be an integer >= 0."
}
description = <<EOD
The minimum number of numeric characters to include in the generated secret.
Default is 0, which allows the randomiser logic to exclude numeric characters
if needed to satisfy other `min_` rules. Note that setting to 0 will not
guarantee numeric characters will be excluded - set `has_numeric_chars` to false
to exclude numeric characters from generated secret.
EOD
}
variable "has_special_chars" {
type = bool
default = true
description = <<EOD
Include special characters in the generated secret. Default is true;
set to false to exclude generating a secret containing special characters.
EOD
}
variable "min_special_chars" {
type = number
default = 0
validation {
condition = floor(var.min_special_chars) == var.min_special_chars && var.min_special_chars >= 0
error_message = "Generated secret min_special_chars must be an integer >= 0."
}
description = <<EOD
The minimum number of special characters to include in the generated secret.
Default is 0, which allows the randomiser logic to exclude special characters
if needed to satisfy other `min_` rules. Note that setting to 0 will not
guarantee special characters will be excluded - set `has_special_chars` to false
to exclude special characters from generated secret.
EOD
}
variable "special_char_set" {
type = string
default = "!@#$%&*()-_=+[]{}<>:?"
description = <<EOD
Override the 'special' characters used by Terraform's random_string provider to
the set provided. Default is the same set as used by Terraform by default.
EOD
}