zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
cloud-foundation-fabric/fast/stages/0-bootstrap/variables.tf

281 lines
8.7 KiB
HCL
Raw Blame History

/**
* Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
variable "billing_account" {
description = "Billing account id. If billing account is not part of the same org set `is_org_level` to `false`. To disable handling of billing IAM roles set `no_iam` to `true`."
type = object({
id = string
is_org_level = optional(bool, true)
no_iam = optional(bool, false)
})
nullable = false
}
variable "bootstrap_user" {
description = "Email of the nominal user running this stage for the first time."
type = string
default = null
}
variable "cicd_repositories" {
description = "CI/CD repository configuration. Identity providers reference keys in the `federated_identity_providers` variable. Set to null to disable, or set individual repositories to null if not needed."
type = object({
bootstrap = optional(object({
branch = string
identity_provider = string
name = string
type = string
}))
resman = optional(object({
branch = string
identity_provider = string
name = string
type = string
}))
})
default = null
validation {
condition = alltrue([
for k, v in coalesce(var.cicd_repositories, {}) :
v == null || try(v.name, null) != null
])
error_message = "Non-null repositories need a non-null name."
}
validation {
condition = alltrue([
for k, v in coalesce(var.cicd_repositories, {}) :
v == null || (
try(v.identity_provider, null) != null
||
try(v.type, null) == "sourcerepo"
)
])
error_message = "Non-null repositories need a non-null provider unless type is 'sourcerepo'."
}
validation {
condition = alltrue([
for k, v in coalesce(var.cicd_repositories, {}) :
v == null || (
contains(["github", "gitlab", "sourcerepo"], coalesce(try(v.type, null), "null"))
)
])
error_message = "Invalid repository type, supported types: 'github' 'gitlab' or 'sourcerepo'."
}
}
variable "custom_role_names" {
description = "Names of custom roles defined at the org level."
type = object({
organization_iam_admin = string
service_project_network_admin = string
tenant_network_admin = string
})
default = {
organization_iam_admin = "organizationIamAdmin"
service_project_network_admin = "serviceProjectNetworkAdmin"
tenant_network_admin = "tenantNetworkAdmin"
}
}
variable "custom_roles" {
description = "Map of role names => list of permissions to additionally create at the organization level."
type = map(list(string))
nullable = false
default = {}
}
variable "factories_config" {
description = "Configuration for the organization policies factory."
type = object({
org_policy_data_path = optional(string, "data/org-policies")
})
nullable = false
default = {}
}
variable "fast_features" {
description = "Selective control for top-level FAST features."
type = object({
data_platform = optional(bool, false)
gke = optional(bool, false)
project_factory = optional(bool, false)
sandbox = optional(bool, false)
teams = optional(bool, false)
})
default = {}
nullable = false
}
variable "federated_identity_providers" {
description = "Workload Identity Federation pools. The `cicd_repositories` variable references keys here."
type = map(object({
attribute_condition = optional(string)
issuer = string
custom_settings = optional(object({
issuer_uri = optional(string)
audiences = optional(list(string), [])
}), {})
}))
default = {}
nullable = false
# TODO: fix validation
# validation {
# condition = var.federated_identity_providers.custom_settings == null
# error_message = "Custom settings cannot be null."
# }
}
variable "group_iam" {
description = "Organization-level authoritative IAM binding for groups, in {GROUP_EMAIL => [ROLES]} format. Group emails need to be static. Can be used in combination with the `iam` variable."
type = map(list(string))
default = {}
nullable = false
}
variable "groups" {
# https://cloud.google.com/docs/enterprise/setup-checklist
description = "Group names or emails to grant organization-level permissions. If just the name is provided, the default organization domain is assumed."
type = map(string)
default = {
gcp-billing-admins = "gcp-billing-admins",
gcp-devops = "gcp-devops",
gcp-network-admins = "gcp-network-admins"
gcp-organization-admins = "gcp-organization-admins"
gcp-security-admins = "gcp-security-admins"
# gcp-support is not included in the official GCP Enterprise
# Checklist, so by default we map gcp-support to gcp-devops.
# However, we recommend creating gcp-support and updating the
# value in the following line
gcp-support = "gcp-devops"
}
}
variable "iam" {
description = "Organization-level custom IAM settings in role => [principal] format."
type = map(list(string))
nullable = false
default = {}
}
variable "iam_bindings_additive" {
description = "Organization-level custom additive IAM bindings. Keys are arbitrary."
type = map(object({
member = string
role = string
condition = optional(object({
expression = string
title = string
description = optional(string)
}))
}))
nullable = false
default = {}
}
variable "locations" {
description = "Optional locations for GCS, BigQuery, and logging buckets created here."
type = object({
bq = optional(string, "EU")
gcs = optional(string, "EU")
logging = optional(string, "global")
pubsub = optional(list(string), [])
})
nullable = false
default = {}
}
# See https://cloud.google.com/architecture/exporting-stackdriver-logging-for-security-and-access-analytics
# for additional logging filter examples
variable "log_sinks" {
description = "Org-level log sinks, in name => {type, filter} format."
type = map(object({
filter = string
type = string
}))
default = {
audit-logs = {
filter = "logName:\"/logs/cloudaudit.googleapis.com%2Factivity\" OR logName:\"/logs/cloudaudit.googleapis.com%2Fsystem_event\""
type = "logging"
}
vpc-sc = {
filter = "protoPayload.metadata.@type=\"type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata\""
type = "logging"
}
}
validation {
condition = alltrue([
for k, v in var.log_sinks :
contains(["bigquery", "logging", "pubsub", "storage"], v.type)
])
error_message = "Type must be one of 'bigquery', 'logging', 'pubsub', 'storage'."
}
}
variable "org_policies_config" {
description = "Organization policies customization."
type = object({
constraints = optional(object({
allowed_policy_member_domains = optional(list(string), [])
}), {})
tag_name = optional(string, "org-policies")
tag_values = optional(map(object({
description = optional(string, "Managed by the Terraform organization module.")
iam = optional(map(list(string)), {})
id = optional(string)
})), {})
})
default = {}
}
variable "organization" {
description = "Organization details."
type = object({
domain = string
id = number
customer_id = string
})
}
variable "outputs_location" {
description = "Enable writing provider, tfvars and CI/CD workflow files to local filesystem. Leave null to disable."
type = string
default = null
}
variable "prefix" {
description = "Prefix used for resources that need unique names. Use 9 characters or less."
type = string
validation {
condition = try(length(var.prefix), 0) < 10
error_message = "Use a maximum of 9 characters for prefix."
}
}
variable "project_parent_ids" {
description = "Optional parents for projects created here in folders/nnnnnnn format. Null values will use the organization as parent."
type = object({
automation = string
billing = string
logging = string
})
default = {
automation = null
billing = null
logging = null
}
nullable = false
}
Reference in New Issue View Git Blame Copy Permalink