2023-02-01 00:30:28 -08:00
# Copyright 2023 Google LLC
2023-01-16 23:49:04 -08:00
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
2023-01-30 14:32:13 -08:00
# tfdoc:file:description Variables definition.
2023-01-16 23:49:04 -08:00
2023-02-05 13:41:57 -08:00
variable " access_policy_config " {
description = " Provide 'access_policy_create' values if a folder scoped Access Policy creation is needed, uses existing 'policy_name' otherwise. Parent is in 'organizations/123456' format. Policy will be created scoped to the folder. "
2023-01-16 23:49:04 -08:00
type = object ( {
2023-02-05 13:41:57 -08:00
policy_name = optional ( string , null )
access_policy_create = optional ( object ( {
parent = string
title = string
} ) , null )
2023-01-16 23:49:04 -08:00
} )
2023-02-05 13:41:57 -08:00
nullable = false
2023-01-16 23:49:04 -08:00
}
variable " data_dir " {
description = " Relative path for the folder storing configuration data. "
type = string
default = " data "
}
2023-01-25 03:32:10 -08:00
variable " enable_features " {
description = " Flag to enable features on the solution. "
type = object ( {
2023-02-06 12:33:04 -08:00
encryption = optional ( bool , false )
2023-02-05 13:41:57 -08:00
log_sink = optional ( bool , true )
vpc_sc = optional ( bool , true )
2023-01-25 03:32:10 -08:00
} )
default = {
2023-02-06 12:33:04 -08:00
encryption = false
2023-01-31 15:50:22 -08:00
log_sink = true
vpc_sc = true
2023-01-25 03:32:10 -08:00
}
}
2023-02-05 13:41:57 -08:00
variable " folder_config " {
description = " Provide 'folder_create' values if folder creation is needed, uses existing 'folder_id' otherwise. Parent is in 'folders/nnn' or 'organizations/nnn' format. "
2023-01-16 23:49:04 -08:00
type = object ( {
2023-02-05 13:41:57 -08:00
folder_id = optional ( string , null )
folder_create = optional ( object ( {
display_name = string
parent = string
} ) , null )
2023-01-16 23:49:04 -08:00
} )
2023-02-07 04:53:54 -08:00
validation {
condition = var . folder_config . folder_id ! = null | | var . folder_config . folder_create ! = null
error_message = " At least one attribute should be set. "
}
2023-02-05 13:41:57 -08:00
nullable = false
2023-01-16 23:49:04 -08:00
}
variable " groups " {
description = " User groups. "
2023-02-05 13:41:57 -08:00
type = object ( {
workload - engineers = optional ( string , " gcp-data-engineers " )
workload - security = optional ( string , " gcp-data-security " )
} )
default = { }
nullable = false
2023-01-16 23:49:04 -08:00
}
2023-01-20 16:08:51 -08:00
variable " kms_keys " {
description = " KMS keys to create, keyed by name. "
type = map ( object ( {
iam = optional ( map ( list ( string ) ) , { } )
labels = optional ( map ( string ) , { } )
locations = optional ( list ( string ) , [ " global " , " europe " , " europe-west1 " ] )
rotation_period = optional ( string , " 7776000s " )
} ) )
default = { }
}
variable " log_locations " {
description = " Optional locations for GCS, BigQuery, and logging buckets created here. "
type = object ( {
bq = optional ( string , " europe " )
2023-01-25 09:22:43 -08:00
storage = optional ( string , " europe " )
2023-01-20 16:08:51 -08:00
logging = optional ( string , " global " )
2023-01-25 03:32:10 -08:00
pubsub = optional ( string , " global " )
2023-01-20 16:08:51 -08:00
} )
default = {
bq = " europe "
2023-01-25 09:22:43 -08:00
storage = " europe "
2023-01-20 16:08:51 -08:00
logging = " global "
2023-01-25 09:22:43 -08:00
pubsub = null
2023-01-20 16:08:51 -08:00
}
nullable = false
}
variable " log_sinks " {
description = " Org-level log sinks, in name => {type, filter} format. "
type = map ( object ( {
filter = string
type = string
} ) )
default = {
audit - logs = {
filter = " logName: \ " / logs / cloudaudit . googleapis . com % 2 Factivity \ " OR logName: \ " / logs / cloudaudit . googleapis . com % 2 Fsystem_event \ " "
type = " bigquery "
}
vpc - sc = {
filter = " protoPayload.metadata.@type= \ " type . googleapis . com / google . cloud . audit . VpcServiceControlAuditMetadata \ " "
type = " bigquery "
}
}
validation {
condition = alltrue ( [
for k , v in var . log_sinks :
contains ( [ " bigquery " , " logging " , " pubsub " , " storage " ] , v . type )
] )
error_message = " Type must be one of 'bigquery', 'logging', 'pubsub', 'storage'. "
}
}
variable " organization " {
description = " Organization details. "
type = object ( {
domain = string
2023-01-30 14:32:13 -08:00
id = string
2023-01-20 16:08:51 -08:00
} )
}
variable " prefix " {
2023-02-06 12:33:04 -08:00
description = " Prefix used for resources that need unique names. "
2023-01-16 23:49:04 -08:00
type = string
2023-01-20 16:08:51 -08:00
}
2023-02-05 13:41:57 -08:00
variable " project_config " {
2023-02-06 12:33:04 -08:00
description = " Provide 'billing_account_id' value if project creation is needed, uses existing 'project_ids' if null. Parent is in 'folders/nnn' or 'organizations/nnn' format. "
2023-01-20 16:08:51 -08:00
type = object ( {
2023-02-05 13:41:57 -08:00
billing_account_id = optional ( string , null )
project_ids = optional ( object ( {
sec - core = string
audit - logs = string
} ) , {
sec - core = " sec-core "
audit - logs = " audit-logs "
}
)
2023-01-20 16:08:51 -08:00
} )
2023-02-05 13:41:57 -08:00
nullable = false
2023-02-07 04:53:54 -08:00
validation {
condition = var . project_config . billing_account_id ! = null | | var . project_config . project_ids ! = null
error_message = " At least one attribute should be set. "
}
2023-01-16 23:49:04 -08:00
}
variable " vpc_sc_access_levels " {
description = " VPC SC access level definitions. "
type = map ( object ( {
combining_function = optional ( string )
conditions = optional ( list ( object ( {
device_policy = optional ( object ( {
allowed_device_management_levels = optional ( list ( string ) )
allowed_encryption_statuses = optional ( list ( string ) )
require_admin_approval = bool
require_corp_owned = bool
require_screen_lock = optional ( bool )
os_constraints = optional ( list ( object ( {
os_type = string
minimum_version = optional ( string )
require_verified_chrome_os = optional ( bool )
} ) ) )
} ) )
ip_subnetworks = optional ( list ( string ) , [ ] )
members = optional ( list ( string ) , [ ] )
negate = optional ( bool )
regions = optional ( list ( string ) , [ ] )
required_access_levels = optional ( list ( string ) , [ ] )
} ) ) , [ ] )
description = optional ( string )
} ) )
default = { }
nullable = false
}
variable " vpc_sc_egress_policies " {
description = " VPC SC egress policy defnitions. "
type = map ( object ( {
from = object ( {
identity_type = optional ( string , " ANY_IDENTITY " )
identities = optional ( list ( string ) )
} )
to = object ( {
operations = optional ( list ( object ( {
method_selectors = optional ( list ( string ) )
service_name = string
} ) ) , [ ] )
resources = optional ( list ( string ) )
resource_type_external = optional ( bool , false )
} )
} ) )
default = { }
nullable = false
}
variable " vpc_sc_ingress_policies " {
description = " VPC SC ingress policy defnitions. "
type = map ( object ( {
from = object ( {
access_levels = optional ( list ( string ) , [ ] )
identity_type = optional ( string )
identities = optional ( list ( string ) )
resources = optional ( list ( string ) , [ ] )
} )
to = object ( {
operations = optional ( list ( object ( {
method_selectors = optional ( list ( string ) )
service_name = string
} ) ) , [ ] )
resources = optional ( list ( string ) )
} )
} ) )
default = { }
nullable = false
}