-
-
Notifications
You must be signed in to change notification settings - Fork 59
/
Copy pathvariables.tf
306 lines (262 loc) · 12.4 KB
/
variables.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
variable "vpc_id" {
type = string
description = "The ID of the VPC to which the Virtual Private Gateway will be attached"
default = null
}
variable "vpn_gateway_amazon_side_asn" {
type = number
description = "The Autonomous System Number (ASN) for the Amazon side of the VPN gateway. If you don't specify an ASN, the Virtual Private Gateway is created with the default ASN"
default = 64512
nullable = false
}
variable "customer_gateway_device_name" {
type = string
description = "The Device Name of the Customer Gateway"
default = ""
}
variable "customer_gateway_bgp_asn" {
type = number
description = "The Customer Gateway's Border Gateway Protocol (BGP) Autonomous System Number (ASN)"
default = 65000
nullable = false
}
variable "customer_gateway_ip_address" {
type = string
description = "The IP address of the Customer Gateway's Internet-routable external interface. Set to `null` to not create the Customer Gateway"
default = null
}
variable "route_table_ids" {
type = list(string)
description = "The IDs of the route tables for which routes from the Virtual Private Gateway will be propagated"
default = []
nullable = false
}
variable "vpn_connection_static_routes_only" {
type = bool
description = "If set to `true`, the VPN connection will use static routes exclusively. Static routes must be used for devices that don't support BGP"
default = false
nullable = false
}
variable "vpn_connection_static_routes_destinations" {
type = list(string)
description = "List of CIDR blocks to be used as destination for static routes. Routes to destinations will be propagated to the route tables defined in `route_table_ids`"
default = []
nullable = false
}
variable "vpn_connection_local_ipv4_network_cidr" {
type = string
description = "The IPv4 CIDR on the Customer Gateway (on-premises) side of the VPN connection"
default = "0.0.0.0/0"
}
variable "vpn_connection_remote_ipv4_network_cidr" {
type = string
description = "The IPv4 CIDR on the AWS side of the VPN connection"
default = "0.0.0.0/0"
}
variable "vpn_connection_log_retention_in_days" {
type = number
description = "Specifies the number of days you want to retain log events"
default = 30
nullable = false
}
variable "vpn_connection_tunnel1_dpd_timeout_action" {
type = string
description = "The action to take after DPD timeout occurs for the first VPN tunnel. Specify restart to restart the IKE initiation. Specify `clear` to end the IKE session. Valid values are `clear` | `none` | `restart`"
default = "clear"
nullable = false
}
variable "vpn_connection_tunnel1_ike_versions" {
type = list(string)
description = "The IKE versions that are permitted for the first VPN tunnel. Valid values are ikev1 | ikev2"
default = []
nullable = false
}
variable "vpn_connection_tunnel1_inside_cidr" {
type = string
description = "The CIDR block of the inside IP addresses for the first VPN tunnel"
default = null
}
variable "vpn_connection_tunnel1_phase1_encryption_algorithms" {
type = list(string)
description = "List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16"
default = []
nullable = false
}
variable "vpn_connection_tunnel1_phase2_encryption_algorithms" {
type = list(string)
description = "List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16"
default = []
nullable = false
}
variable "vpn_connection_tunnel1_phase1_integrity_algorithms" {
type = list(string)
description = "One or more integrity algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512"
default = []
nullable = false
}
variable "vpn_connection_tunnel1_phase2_integrity_algorithms" {
type = list(string)
description = "One or more integrity algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512"
default = []
nullable = false
}
variable "vpn_connection_tunnel1_phase1_dh_group_numbers" {
type = list(string)
description = "List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24"
default = []
nullable = false
}
variable "vpn_connection_tunnel1_phase2_dh_group_numbers" {
type = list(string)
description = "List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24"
default = []
nullable = false
}
variable "vpn_connection_tunnel1_phase1_lifetime_seconds" {
type = string
description = "The lifetime for phase 1 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between 900 and 28800"
default = "28800"
nullable = false
}
variable "vpn_connection_tunnel1_phase2_lifetime_seconds" {
type = string
description = "The lifetime for phase 2 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between 900 and 3600"
default = "3600"
nullable = false
}
variable "vpn_connection_tunnel1_preshared_key" {
type = string
description = "The preshared key of the first VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero. Allowed characters are alphanumeric characters, periods(.) and underscores(_)"
default = null
}
variable "vpn_connection_tunnel1_startup_action" {
type = string
description = "The action to take when the establishing the tunnel for the first VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are `add` | `start`"
default = "add"
nullable = false
}
variable "vpn_connection_tunnel1_cloudwatch_log_enabled" {
type = bool
description = "Enable or disable VPN tunnel logging feature for the tunnel"
default = false
nullable = false
}
variable "vpn_connection_tunnel1_cloudwatch_log_output_format" {
type = string
description = "Set log format for the tunnel. Default format is json. Possible values are `json` and `text`"
default = "json"
nullable = false
}
variable "vpn_connection_tunnel2_dpd_timeout_action" {
type = string
description = "The action to take after DPD timeout occurs for the second VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are `clear` | `none` | `restart`"
default = "clear"
nullable = false
}
variable "vpn_connection_tunnel2_ike_versions" {
type = list(string)
description = "The IKE versions that are permitted for the second VPN tunnel. Valid values are ikev1 | ikev2"
default = []
nullable = false
}
variable "vpn_connection_tunnel2_inside_cidr" {
type = string
description = "The CIDR block of the inside IP addresses for the second VPN tunnel"
default = null
}
variable "vpn_connection_tunnel2_phase1_encryption_algorithms" {
type = list(string)
description = "List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16"
default = []
nullable = false
}
variable "vpn_connection_tunnel2_phase2_encryption_algorithms" {
type = list(string)
description = "List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16"
default = []
nullable = false
}
variable "vpn_connection_tunnel2_phase1_integrity_algorithms" {
type = list(string)
description = "One or more integrity algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512"
default = []
nullable = false
}
variable "vpn_connection_tunnel2_phase2_integrity_algorithms" {
type = list(string)
description = "One or more integrity algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512"
default = []
nullable = false
}
variable "vpn_connection_tunnel2_phase1_dh_group_numbers" {
type = list(string)
description = "List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24"
default = []
nullable = false
}
variable "vpn_connection_tunnel2_phase2_dh_group_numbers" {
type = list(string)
description = "List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24"
default = []
nullable = false
}
variable "vpn_connection_tunnel2_phase1_lifetime_seconds" {
type = string
description = "The lifetime for phase 1 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between 900 and 28800"
default = "28800"
nullable = false
}
variable "vpn_connection_tunnel2_phase2_lifetime_seconds" {
type = string
description = "The lifetime for phase 2 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between 900 and 3600"
default = "3600"
nullable = false
}
variable "vpn_connection_tunnel2_preshared_key" {
type = string
description = "The preshared key of the second VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero. Allowed characters are alphanumeric characters, periods(.) and underscores(_)"
default = null
}
variable "vpn_connection_tunnel2_startup_action" {
type = string
description = "The action to take when the establishing the tunnel for the second VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are `add` | `start`"
default = "add"
nullable = false
}
variable "vpn_connection_tunnel2_cloudwatch_log_enabled" {
type = bool
description = "Enable or disable VPN tunnel logging feature for the tunnel"
default = false
nullable = false
}
variable "vpn_connection_tunnel2_cloudwatch_log_output_format" {
type = string
description = "Set log format for the tunnel. Default format is json. Possible values are `json` and `text`"
default = "json"
nullable = false
}
variable "existing_transit_gateway_id" {
type = string
default = ""
description = "Existing Transit Gateway ID. If provided, the module will not create a Virtual Private Gateway but instead will use the transit_gateway. For setting up transit gateway we can use the cloudposse/transit-gateway/aws module and pass the output transit_gateway_id to this variable"
}
variable "transit_gateway_enabled" {
type = bool
description = "Set to true to enable VPN connection to transit gateway and then pass in the existing_transit_gateway_id"
default = false
nullable = false
}
variable "transit_gateway_route_table_id" {
type = string
description = "The ID of the route table for the transit gateway that you want to associate + propogate the VPN connection's TGW attachment"
default = null
}
variable "transit_gateway_routes" {
type = map(object({
blackhole = optional(bool, false)
destination_cidr_block = string
}))
description = "A map of transit gateway routes to create on the given TGW route table (via `transit_gateway_route_table_id`) for the created VPN Attachment. Use the key in the map to describe the route"
default = {}
nullable = false
}