From 54ba1c6b961e5014bf09bcb82f2dcdf54f14a41a Mon Sep 17 00:00:00 2001 From: Jake Date: Wed, 31 Dec 2025 11:21:12 +0000 Subject: [PATCH 01/17] codex: did it work? --- cmd/init_tf_module_promise.go | 29 +++++++---- internal/terraform_module.go | 10 ++-- internal/terraform_module_test.go | 36 +++++++++++-- stages/terraform-module-promise/main.go | 52 +++++++++++++++++-- .../test/stage_test.go | 47 ++++++++++++++++- 5 files changed, 148 insertions(+), 26 deletions(-) diff --git a/cmd/init_tf_module_promise.go b/cmd/init_tf_module_promise.go index 54cee8b..49c6c63 100644 --- a/cmd/init_tf_module_promise.go +++ b/cmd/init_tf_module_promise.go @@ -39,7 +39,7 @@ To pull modules from private registries, ensure your system is logged in to the # Initialize a Promise from a Terraform Module in Terraform registry kratix init tf-module-promise iam \ --module-source terraform-aws-modules/iam/aws \ - --module-version 6.2.3 \ + --module-registry-version 6.2.3 \ --group syntasso.io \ --kind IAM \ --version v1alpha1`, @@ -47,7 +47,7 @@ To pull modules from private registries, ensure your system is logged in to the Args: cobra.ExactArgs(1), } - moduleSource, moduleVersion string + moduleSource, moduleRegistryVersion, deprecatedModuleVersionFlag string ) func init() { @@ -56,15 +56,22 @@ func init() { "This can be a Git URL, Terraform registry path, or a local directory path. \n"+ "It follows the same format as the `source` argument in the Terraform module block.", ) - terraformModuleCmd.Flags().StringVarP(&moduleVersion, "module-version", "m", "", "(Optional) version of the terraform module; "+ + terraformModuleCmd.Flags().StringVarP(&moduleRegistryVersion, "module-registry-version", "r", "", "(Optional) version of the Terraform module from a registry; "+ "only use when pulling modules from Terraform registry", ) + terraformModuleCmd.Flags().StringVar(&deprecatedModuleVersionFlag, "module-version", "", "(Deprecated) use --module-registry-version instead") + terraformModuleCmd.Flags().MarkHidden("module-version") + terraformModuleCmd.Flags().MarkDeprecated("module-version", "use --module-registry-version instead") terraformModuleCmd.MarkFlagRequired("module-source") } func InitFromTerraformModule(cmd *cobra.Command, args []string) error { fmt.Println("Fetching terraform module variables, this might take up to a minute...") - variables, err := internal.GetVariablesFromModule(moduleSource, moduleVersion) + if moduleRegistryVersion == "" && deprecatedModuleVersionFlag != "" { + moduleRegistryVersion = deprecatedModuleVersionFlag + } + + variables, err := internal.GetVariablesFromModule(moduleSource, moduleRegistryVersion) if err != nil { fmt.Printf("Error: failed to download and convert terraform module to CRD: %s\n", err) return nil @@ -82,7 +89,7 @@ func InitFromTerraformModule(cmd *cobra.Command, args []string) error { return nil } - resourceConfigure, err := generateTerraformModuleResourceConfigurePipeline() + resourceConfigure, err := generateTerraformModuleResourceConfigurePipeline(moduleRegistryVersion) if err != nil { fmt.Printf("Error: failed to generate promise pipelines: %s\n", err) return nil @@ -90,8 +97,8 @@ func InitFromTerraformModule(cmd *cobra.Command, args []string) error { promiseName := args[0] extraFlags := fmt.Sprintf("--module-source %s", moduleSource) - if moduleVersion != "" { - extraFlags = fmt.Sprintf("%s --module-version %s", extraFlags, moduleVersion) + if moduleRegistryVersion != "" { + extraFlags = fmt.Sprintf("%s --module-registry-version %s", extraFlags, moduleRegistryVersion) } templateValues, err := generateTemplateValues(promiseName, "tf-module-promise", extraFlags, resourceConfigure, string(crdSchema)) if err != nil { @@ -123,7 +130,7 @@ func InitFromTerraformModule(cmd *cobra.Command, args []string) error { return nil } -func generateTerraformModuleResourceConfigurePipeline() (string, error) { +func generateTerraformModuleResourceConfigurePipeline(moduleRegistryVersion string) (string, error) { envs := []corev1.EnvVar{ { Name: "MODULE_SOURCE", @@ -131,10 +138,10 @@ func generateTerraformModuleResourceConfigurePipeline() (string, error) { }, } - if moduleVersion != "" { + if moduleRegistryVersion != "" { envs = append(envs, corev1.EnvVar{ - Name: "MODULE_VERSION", - Value: moduleVersion, + Name: "MODULE_REGISTRY_VERSION", + Value: moduleRegistryVersion, }) } diff --git a/internal/terraform_module.go b/internal/terraform_module.go index ed6cd4e..afe483b 100644 --- a/internal/terraform_module.go +++ b/internal/terraform_module.go @@ -28,14 +28,14 @@ var ( terraformInit func(dir string) error = runTerraformInit ) -func GetVariablesFromModule(moduleSource, moduleVersion string) ([]TerraformVariable, error) { +func GetVariablesFromModule(moduleSource, moduleRegistryVersion string) ([]TerraformVariable, error) { tempDir, err := mkdirTemp("", "terraform-module") if err != nil { return nil, fmt.Errorf("failed to create temp directory: %w", err) } defer os.RemoveAll(tempDir) - if err := writeTerraformModuleConfig(tempDir, moduleSource, moduleVersion); err != nil { + if err := writeTerraformModuleConfig(tempDir, moduleSource, moduleRegistryVersion); err != nil { return nil, err } @@ -57,10 +57,10 @@ func GetVariablesFromModule(moduleSource, moduleVersion string) ([]TerraformVari return variables, nil } -func writeTerraformModuleConfig(workDir, moduleSource, moduleVersion string) error { +func writeTerraformModuleConfig(workDir, moduleSource, moduleRegistryVersion string) error { config := fmt.Sprintf("module \"%s\" {\n source = \"%s\"\n", kratixModuleName, moduleSource) - if moduleVersion != "" { - config += fmt.Sprintf(" version = \"%s\"\n", moduleVersion) + if moduleRegistryVersion != "" { + config += fmt.Sprintf(" version = \"%s\"\n", moduleRegistryVersion) } config += "}\n" if err := os.WriteFile(filepath.Join(workDir, "main.tf"), []byte(config), 0o644); err != nil { diff --git a/internal/terraform_module_test.go b/internal/terraform_module_test.go index 551825d..de8025c 100644 --- a/internal/terraform_module_test.go +++ b/internal/terraform_module_test.go @@ -132,8 +132,7 @@ variable "list_object_var" { mainContent, err := os.ReadFile(filepath.Join(tempDir, "main.tf")) Expect(err).NotTo(HaveOccurred()) expectContent := `module "kratix_target" { - source = "git::mock-source.git//subdir" - version = "v1.0.0" + source = "git::mock-source.git//subdir?ref=v1.0.0" } ` Expect(string(mainContent)).To(Equal(expectContent)) @@ -161,7 +160,7 @@ variable "bool_var" { `), 0o644) }) - variables, err := internal.GetVariablesFromModule("git::mock-source.git", "v1.0.0") + variables, err := internal.GetVariablesFromModule("git::mock-source.git//subdir?ref=v1.0.0", "") Expect(err).ToNot(HaveOccurred()) Expect(variables).To(HaveLen(4)) @@ -183,6 +182,37 @@ variable "bool_var" { }) }) + Context("when a registry module version is provided separately", func() { + BeforeEach(func() { + internal.SetTerraformInitFunc(func(dir string) error { + mainContent, err := os.ReadFile(filepath.Join(tempDir, "main.tf")) + Expect(err).NotTo(HaveOccurred()) + expectContent := `module "kratix_target" { + source = "terraform-aws-modules/iam/aws" + version = "6.2.3" +} +` + Expect(string(mainContent)).To(Equal(expectContent)) + + variablesPath := filepath.Join(tempDir, ".terraform", "modules", "kratix_target", "variables.tf") + expectManifest(filepath.Join(tempDir, ".terraform", "modules", "modules.json"), ".terraform/modules/kratix_target") + Expect(os.MkdirAll(filepath.Dir(variablesPath), 0o755)).To(Succeed()) + return os.WriteFile(variablesPath, []byte(` +variable "example_var" { + type = string +} +`), 0o644) + }) + }) + + It("adds the version to the terraform config", func() { + variables, err := internal.GetVariablesFromModule("terraform-aws-modules/iam/aws", "6.2.3") + Expect(err).ToNot(HaveOccurred()) + Expect(variables).To(HaveLen(1)) + Expect(variables[0].Name).To(Equal("example_var")) + }) + }) + Context("when terraform init fails", func() { It("errors", func() { internal.SetTerraformInitFunc(func(dir string) error { diff --git a/stages/terraform-module-promise/main.go b/stages/terraform-module-promise/main.go index 6c48a0b..58c766f 100644 --- a/stages/terraform-module-promise/main.go +++ b/stages/terraform-module-promise/main.go @@ -15,7 +15,10 @@ func main() { yamlFile := GetEnv("KRATIX_INPUT_FILE", "/kratix/input/object.yaml") outputDir := GetEnv("KRATIX_OUTPUT_DIR", "/kratix/output") moduleSource := MustHaveEnv("MODULE_SOURCE") - moduleVersion := MustHaveEnv("MODULE_VERSION") + moduleRegistryVersion := os.Getenv("MODULE_REGISTRY_VERSION") + if moduleRegistryVersion == "" { + moduleRegistryVersion = os.Getenv("MODULE_VERSION") + } modulePath := os.Getenv("MODULE_PATH") // optional yamlContent, err := os.ReadFile(yamlFile) @@ -44,10 +47,7 @@ func main() { uniqueFileName := strings.ToLower(fmt.Sprintf("%s_%s_%s", kind, namespace, name)) - source := fmt.Sprintf("%s//%s?ref=%s", moduleSource, modulePath, moduleVersion) - if modulePath == "" { - source = fmt.Sprintf("%s?ref=%s", moduleSource, moduleVersion) - } + source := buildModuleSource(moduleSource, modulePath) module := map[string]map[string]map[string]any{ "module": { @@ -57,6 +57,15 @@ func main() { }, } + if moduleRegistryVersion != "" { + if isRegistrySource(moduleSource) { + module["module"][uniqueFileName]["version"] = moduleRegistryVersion + } else if !strings.Contains(source, "?") { + sourceWithRef := fmt.Sprintf("%s?ref=%s", source, moduleRegistryVersion) + module["module"][uniqueFileName]["source"] = sourceWithRef + } + } + // Handle spec if it exists if spec, ok := data["spec"].(map[string]any); ok { for key, value := range spec { @@ -103,3 +112,36 @@ func MustHaveEnv(key string) string { } panic(fmt.Sprintf("Error: %s environment variable is not set", key)) } + +func buildModuleSource(moduleSource, modulePath string) string { + if modulePath == "" { + return moduleSource + } + + trimmedPath := strings.Trim(modulePath, "/") + if trimmedPath == "" { + return moduleSource + } + + sourceParts := strings.SplitN(moduleSource, "?", 2) + baseSource := strings.TrimSuffix(sourceParts[0], "/") + sourceWithPath := fmt.Sprintf("%s//%s", baseSource, trimmedPath) + + if len(sourceParts) == 2 && sourceParts[1] != "" { + return fmt.Sprintf("%s?%s", sourceWithPath, sourceParts[1]) + } + + return sourceWithPath +} + +func isRegistrySource(moduleSource string) bool { + if strings.HasPrefix(moduleSource, "./") || strings.HasPrefix(moduleSource, "../") || strings.HasPrefix(moduleSource, "/") { + return false + } + + if strings.Contains(moduleSource, "://") || strings.Contains(moduleSource, "::") { + return false + } + + return strings.Count(moduleSource, "/") >= 2 +} diff --git a/stages/terraform-module-promise/test/stage_test.go b/stages/terraform-module-promise/test/stage_test.go index 1dcfc28..5f8f7a6 100644 --- a/stages/terraform-module-promise/test/stage_test.go +++ b/stages/terraform-module-promise/test/stage_test.go @@ -50,6 +50,38 @@ var expectedOutputNoSpec = `{ } }` +var expectedRegistryOutput = `{ + "module": { + "testobject_non-default_test-object": { + "source": "terraform-aws-modules/iam/aws", + "version": "6.2.3", + "strArr": [ + { + "field": "value" + } + ], + "intArr": [ + 1 + ], + "listBool": [ + true + ], + "field": "value", + "mapWithinMap": { + "entryMap": { + "entry": "value", + "entry2": 2, + "entry3": false + }, + "entry": "value", + "entry2": 2, + "entry3": false + }, + "number": 7 + } + } +}` + func runWithEnv(envVars map[string]string) *gexec.Session { cmd := exec.Command(binaryPath) for key, value := range envVars { @@ -74,8 +106,7 @@ var _ = Describe("From TF module to Promise Stage", func() { envVars = map[string]string{ "KRATIX_INPUT_FILE": "assets/test-object.yaml", "KRATIX_OUTPUT_DIR": tmpDir, - "MODULE_SOURCE": "git::example.com", - "MODULE_VERSION": "1.0.0", + "MODULE_SOURCE": "git::example.com?ref=1.0.0", } }) @@ -104,4 +135,16 @@ var _ = Describe("From TF module to Promise Stage", func() { Expect(err).NotTo(HaveOccurred()) Expect(string(output)).To(MatchJSON(expectedOutputNoSpec)) }) + + It("adds a registry version when provided separately", func() { + envVars["MODULE_SOURCE"] = "terraform-aws-modules/iam/aws" + envVars["MODULE_REGISTRY_VERSION"] = "6.2.3" + session := runWithEnv(envVars) + Eventually(session).Should(gexec.Exit()) + Expect(session.Buffer()).To(gbytes.Say("Terraform JSON configuration written to %s/testobject_non-default_test-object.tf.json", tmpDir)) + Expect(session).To(gexec.Exit(0)) + output, err := os.ReadFile(filepath.Join(tmpDir, "testobject_non-default_test-object.tf.json")) + Expect(err).NotTo(HaveOccurred()) + Expect(string(output)).To(MatchJSON(expectedRegistryOutput)) + }) }) From 5dc81d887955a29aa8d2df869aa90454c8e4da78 Mon Sep 17 00:00:00 2001 From: Jake Date: Wed, 31 Dec 2025 11:42:33 +0000 Subject: [PATCH 02/17] codex: remove deprecated flags --- cmd/init_tf_module_promise.go | 9 +-------- stages/terraform-module-promise/main.go | 3 --- 2 files changed, 1 insertion(+), 11 deletions(-) diff --git a/cmd/init_tf_module_promise.go b/cmd/init_tf_module_promise.go index 49c6c63..880e9b6 100644 --- a/cmd/init_tf_module_promise.go +++ b/cmd/init_tf_module_promise.go @@ -47,7 +47,7 @@ To pull modules from private registries, ensure your system is logged in to the Args: cobra.ExactArgs(1), } - moduleSource, moduleRegistryVersion, deprecatedModuleVersionFlag string + moduleSource, moduleRegistryVersion string ) func init() { @@ -59,18 +59,11 @@ func init() { terraformModuleCmd.Flags().StringVarP(&moduleRegistryVersion, "module-registry-version", "r", "", "(Optional) version of the Terraform module from a registry; "+ "only use when pulling modules from Terraform registry", ) - terraformModuleCmd.Flags().StringVar(&deprecatedModuleVersionFlag, "module-version", "", "(Deprecated) use --module-registry-version instead") - terraformModuleCmd.Flags().MarkHidden("module-version") - terraformModuleCmd.Flags().MarkDeprecated("module-version", "use --module-registry-version instead") terraformModuleCmd.MarkFlagRequired("module-source") } func InitFromTerraformModule(cmd *cobra.Command, args []string) error { fmt.Println("Fetching terraform module variables, this might take up to a minute...") - if moduleRegistryVersion == "" && deprecatedModuleVersionFlag != "" { - moduleRegistryVersion = deprecatedModuleVersionFlag - } - variables, err := internal.GetVariablesFromModule(moduleSource, moduleRegistryVersion) if err != nil { fmt.Printf("Error: failed to download and convert terraform module to CRD: %s\n", err) diff --git a/stages/terraform-module-promise/main.go b/stages/terraform-module-promise/main.go index 58c766f..bdc8da9 100644 --- a/stages/terraform-module-promise/main.go +++ b/stages/terraform-module-promise/main.go @@ -16,9 +16,6 @@ func main() { outputDir := GetEnv("KRATIX_OUTPUT_DIR", "/kratix/output") moduleSource := MustHaveEnv("MODULE_SOURCE") moduleRegistryVersion := os.Getenv("MODULE_REGISTRY_VERSION") - if moduleRegistryVersion == "" { - moduleRegistryVersion = os.Getenv("MODULE_VERSION") - } modulePath := os.Getenv("MODULE_PATH") // optional yamlContent, err := os.ReadFile(yamlFile) From 340474527e9d3d5911e920bce6f3fdf1e7c7b783 Mon Sep 17 00:00:00 2001 From: Jake Date: Wed, 31 Dec 2025 11:48:38 +0000 Subject: [PATCH 03/17] codex: remove backwards compat and move logic into cli for validating --- cmd/init_tf_module_promise.go | 6 ++++++ internal/terraform_module.go | 14 +++++++++++++- internal/terraform_module_test.go | 14 ++++++++++++++ stages/terraform-module-promise/main.go | 22 +++------------------- 4 files changed, 36 insertions(+), 20 deletions(-) diff --git a/cmd/init_tf_module_promise.go b/cmd/init_tf_module_promise.go index 880e9b6..d2eee3c 100644 --- a/cmd/init_tf_module_promise.go +++ b/cmd/init_tf_module_promise.go @@ -64,6 +64,12 @@ func init() { func InitFromTerraformModule(cmd *cobra.Command, args []string) error { fmt.Println("Fetching terraform module variables, this might take up to a minute...") + + if moduleRegistryVersion != "" && !internal.IsTerraformRegistrySource(moduleSource) { + fmt.Println("Error: --module-registry-version can only be used with Terraform registry module sources (e.g., namespace/name/provider)") + return nil + } + variables, err := internal.GetVariablesFromModule(moduleSource, moduleRegistryVersion) if err != nil { fmt.Printf("Error: failed to download and convert terraform module to CRD: %s\n", err) diff --git a/internal/terraform_module.go b/internal/terraform_module.go index afe483b..866dabe 100644 --- a/internal/terraform_module.go +++ b/internal/terraform_module.go @@ -59,7 +59,7 @@ func GetVariablesFromModule(moduleSource, moduleRegistryVersion string) ([]Terra func writeTerraformModuleConfig(workDir, moduleSource, moduleRegistryVersion string) error { config := fmt.Sprintf("module \"%s\" {\n source = \"%s\"\n", kratixModuleName, moduleSource) - if moduleRegistryVersion != "" { + if moduleRegistryVersion != "" && IsTerraformRegistrySource(moduleSource) { config += fmt.Sprintf(" version = \"%s\"\n", moduleRegistryVersion) } config += "}\n" @@ -109,6 +109,18 @@ func resolveModuleDir(workDir string) (string, error) { return "", fmt.Errorf("module %s not found in terraform module manifest", kratixModuleName) } +func IsTerraformRegistrySource(moduleSource string) bool { + if strings.HasPrefix(moduleSource, "./") || strings.HasPrefix(moduleSource, "../") || strings.HasPrefix(moduleSource, "/") { + return false + } + + if strings.Contains(moduleSource, "://") || strings.Contains(moduleSource, "::") { + return false + } + + return strings.Count(moduleSource, "/") >= 2 +} + func extractVariablesFromVarsFile(filePath string) ([]TerraformVariable, error) { fileContent, err := readFileContent(filePath) if err != nil { diff --git a/internal/terraform_module_test.go b/internal/terraform_module_test.go index de8025c..916999a 100644 --- a/internal/terraform_module_test.go +++ b/internal/terraform_module_test.go @@ -240,6 +240,20 @@ variable "example_var" { }) }) +var _ = Describe("IsTerraformRegistrySource", func() { + DescribeTable("registry source detection", + func(source string, expected bool) { + Expect(internal.IsTerraformRegistrySource(source)).To(Equal(expected)) + }, + Entry("registry path", "namespace/name/provider", true), + Entry("nested registry path", "foo/bar/baz", true), + Entry("git URL", "git::https://github.com/org/repo.git?ref=v1.0.0", false), + Entry("local path", "./modules/vpc", false), + Entry("absolute path", "/tmp/module", false), + Entry("module with scheme", "https://example.com/archive.tgz", false), + ) +}) + func expectManifest(manifestPath, moduleDir string) { manifest := fmt.Sprintf(`{"Modules":[{"Key":"module.%s","Dir":"%s"}]}`, "kratix_target", moduleDir) Expect(os.MkdirAll(filepath.Dir(manifestPath), 0o755)).To(Succeed()) diff --git a/stages/terraform-module-promise/main.go b/stages/terraform-module-promise/main.go index bdc8da9..ad046f8 100644 --- a/stages/terraform-module-promise/main.go +++ b/stages/terraform-module-promise/main.go @@ -8,6 +8,7 @@ import ( "path/filepath" "strings" + "github.com/syntasso/kratix-cli/internal" "gopkg.in/yaml.v3" ) @@ -54,13 +55,8 @@ func main() { }, } - if moduleRegistryVersion != "" { - if isRegistrySource(moduleSource) { - module["module"][uniqueFileName]["version"] = moduleRegistryVersion - } else if !strings.Contains(source, "?") { - sourceWithRef := fmt.Sprintf("%s?ref=%s", source, moduleRegistryVersion) - module["module"][uniqueFileName]["source"] = sourceWithRef - } + if moduleRegistryVersion != "" && internal.IsTerraformRegistrySource(moduleSource) { + module["module"][uniqueFileName]["version"] = moduleRegistryVersion } // Handle spec if it exists @@ -130,15 +126,3 @@ func buildModuleSource(moduleSource, modulePath string) string { return sourceWithPath } - -func isRegistrySource(moduleSource string) bool { - if strings.HasPrefix(moduleSource, "./") || strings.HasPrefix(moduleSource, "../") || strings.HasPrefix(moduleSource, "/") { - return false - } - - if strings.Contains(moduleSource, "://") || strings.Contains(moduleSource, "::") { - return false - } - - return strings.Count(moduleSource, "/") >= 2 -} From 95001de983ea2cd93d0cdcd3edb86e29ee116661 Mon Sep 17 00:00:00 2001 From: Jake Date: Wed, 31 Dec 2025 11:58:21 +0000 Subject: [PATCH 04/17] codex: refactor --- cmd/init_tf_module_promise.go | 2 +- internal/terraform_module.go | 33 +++++++++++++++++++++++++ internal/terraform_module_test.go | 14 +++++++++++ stages/terraform-module-promise/main.go | 23 +---------------- 4 files changed, 49 insertions(+), 23 deletions(-) diff --git a/cmd/init_tf_module_promise.go b/cmd/init_tf_module_promise.go index d2eee3c..bcfbd67 100644 --- a/cmd/init_tf_module_promise.go +++ b/cmd/init_tf_module_promise.go @@ -66,7 +66,7 @@ func InitFromTerraformModule(cmd *cobra.Command, args []string) error { fmt.Println("Fetching terraform module variables, this might take up to a minute...") if moduleRegistryVersion != "" && !internal.IsTerraformRegistrySource(moduleSource) { - fmt.Println("Error: --module-registry-version can only be used with Terraform registry module sources (e.g., namespace/name/provider)") + fmt.Println("Error: --module-registry-version is only valid for Terraform registry sources like 'namespace/name/provider'. For git URLs (e.g., 'git::https://github.com/org/repo.git?ref=v1.0.0') or local paths, embed the ref directly in --module-source instead.") return nil } diff --git a/internal/terraform_module.go b/internal/terraform_module.go index 866dabe..414074b 100644 --- a/internal/terraform_module.go +++ b/internal/terraform_module.go @@ -121,6 +121,39 @@ func IsTerraformRegistrySource(moduleSource string) bool { return strings.Count(moduleSource, "/") >= 2 } +// BuildModuleSource appends a modulePath to a moduleSource while preserving query parameters. +// Examples: +// - BuildModuleSource("git::https://github.com/org/repo.git?ref=v1.0.0", "modules/vpc") +// -> "git::https://github.com/org/repo.git//modules/vpc?ref=v1.0.0" +// - BuildModuleSource("terraform-aws-modules/vpc/aws", "modules/vpc") +// -> "terraform-aws-modules/vpc/aws//modules/vpc" +// +// If modulePath is empty or only slashes, moduleSource is returned unchanged. +func BuildModuleSource(moduleSource, modulePath string) string { + trimmedPath := strings.Trim(modulePath, "/") + if trimmedPath == "" { + return moduleSource + } + + baseSource, query := splitSourceAndQuery(moduleSource) + sourceWithPath := fmt.Sprintf("%s//%s", baseSource, trimmedPath) + + if query == "" { + return sourceWithPath + } + + return fmt.Sprintf("%s?%s", sourceWithPath, query) +} + +func splitSourceAndQuery(moduleSource string) (base, query string) { + parts := strings.SplitN(moduleSource, "?", 2) + base = strings.TrimSuffix(parts[0], "/") + if len(parts) == 2 { + query = parts[1] + } + return base, query +} + func extractVariablesFromVarsFile(filePath string) ([]TerraformVariable, error) { fileContent, err := readFileContent(filePath) if err != nil { diff --git a/internal/terraform_module_test.go b/internal/terraform_module_test.go index 916999a..63cfe4c 100644 --- a/internal/terraform_module_test.go +++ b/internal/terraform_module_test.go @@ -254,6 +254,20 @@ var _ = Describe("IsTerraformRegistrySource", func() { ) }) +var _ = Describe("BuildModuleSource", func() { + DescribeTable("appends module path while preserving query params", + func(source, path, expected string) { + Expect(internal.BuildModuleSource(source, path)).To(Equal(expected)) + }, + Entry("no path provided", "git::example.com/repo.git?ref=v1.0.0", "", "git::example.com/repo.git?ref=v1.0.0"), + Entry("path with slashes trimmed", "git::example.com/repo.git?ref=v1.0.0", "/modules/vpc/", "git::example.com/repo.git//modules/vpc?ref=v1.0.0"), + Entry("source without query", "terraform-aws-modules/vpc/aws", "modules/vpc", "terraform-aws-modules/vpc/aws//modules/vpc"), + Entry("source with trailing slash", "terraform-aws-modules/vpc/aws/", "modules/vpc", "terraform-aws-modules/vpc/aws//modules/vpc"), + Entry("empty path after trim", "terraform-aws-modules/vpc/aws", "/", "terraform-aws-modules/vpc/aws"), + Entry("query preserved", "git::https://github.com/org/repo.git?ref=v1.2.3&depth=1", "nested/path", "git::https://github.com/org/repo.git//nested/path?ref=v1.2.3&depth=1"), + ) +}) + func expectManifest(manifestPath, moduleDir string) { manifest := fmt.Sprintf(`{"Modules":[{"Key":"module.%s","Dir":"%s"}]}`, "kratix_target", moduleDir) Expect(os.MkdirAll(filepath.Dir(manifestPath), 0o755)).To(Succeed()) diff --git a/stages/terraform-module-promise/main.go b/stages/terraform-module-promise/main.go index ad046f8..fcaff56 100644 --- a/stages/terraform-module-promise/main.go +++ b/stages/terraform-module-promise/main.go @@ -45,7 +45,7 @@ func main() { uniqueFileName := strings.ToLower(fmt.Sprintf("%s_%s_%s", kind, namespace, name)) - source := buildModuleSource(moduleSource, modulePath) + source := internal.BuildModuleSource(moduleSource, modulePath) module := map[string]map[string]map[string]any{ "module": { @@ -105,24 +105,3 @@ func MustHaveEnv(key string) string { } panic(fmt.Sprintf("Error: %s environment variable is not set", key)) } - -func buildModuleSource(moduleSource, modulePath string) string { - if modulePath == "" { - return moduleSource - } - - trimmedPath := strings.Trim(modulePath, "/") - if trimmedPath == "" { - return moduleSource - } - - sourceParts := strings.SplitN(moduleSource, "?", 2) - baseSource := strings.TrimSuffix(sourceParts[0], "/") - sourceWithPath := fmt.Sprintf("%s//%s", baseSource, trimmedPath) - - if len(sourceParts) == 2 && sourceParts[1] != "" { - return fmt.Sprintf("%s?%s", sourceWithPath, sourceParts[1]) - } - - return sourceWithPath -} From 80938cb36427ed333fd7a9f34b6167255f148851 Mon Sep 17 00:00:00 2001 From: Jake Date: Wed, 31 Dec 2025 12:10:51 +0000 Subject: [PATCH 05/17] codex: remove unused MODULE_PATH variable --- internal/terraform_module.go | 33 ------------------------- internal/terraform_module_test.go | 14 ----------- stages/terraform-module-promise/main.go | 3 +-- 3 files changed, 1 insertion(+), 49 deletions(-) diff --git a/internal/terraform_module.go b/internal/terraform_module.go index 414074b..866dabe 100644 --- a/internal/terraform_module.go +++ b/internal/terraform_module.go @@ -121,39 +121,6 @@ func IsTerraformRegistrySource(moduleSource string) bool { return strings.Count(moduleSource, "/") >= 2 } -// BuildModuleSource appends a modulePath to a moduleSource while preserving query parameters. -// Examples: -// - BuildModuleSource("git::https://github.com/org/repo.git?ref=v1.0.0", "modules/vpc") -// -> "git::https://github.com/org/repo.git//modules/vpc?ref=v1.0.0" -// - BuildModuleSource("terraform-aws-modules/vpc/aws", "modules/vpc") -// -> "terraform-aws-modules/vpc/aws//modules/vpc" -// -// If modulePath is empty or only slashes, moduleSource is returned unchanged. -func BuildModuleSource(moduleSource, modulePath string) string { - trimmedPath := strings.Trim(modulePath, "/") - if trimmedPath == "" { - return moduleSource - } - - baseSource, query := splitSourceAndQuery(moduleSource) - sourceWithPath := fmt.Sprintf("%s//%s", baseSource, trimmedPath) - - if query == "" { - return sourceWithPath - } - - return fmt.Sprintf("%s?%s", sourceWithPath, query) -} - -func splitSourceAndQuery(moduleSource string) (base, query string) { - parts := strings.SplitN(moduleSource, "?", 2) - base = strings.TrimSuffix(parts[0], "/") - if len(parts) == 2 { - query = parts[1] - } - return base, query -} - func extractVariablesFromVarsFile(filePath string) ([]TerraformVariable, error) { fileContent, err := readFileContent(filePath) if err != nil { diff --git a/internal/terraform_module_test.go b/internal/terraform_module_test.go index 63cfe4c..916999a 100644 --- a/internal/terraform_module_test.go +++ b/internal/terraform_module_test.go @@ -254,20 +254,6 @@ var _ = Describe("IsTerraformRegistrySource", func() { ) }) -var _ = Describe("BuildModuleSource", func() { - DescribeTable("appends module path while preserving query params", - func(source, path, expected string) { - Expect(internal.BuildModuleSource(source, path)).To(Equal(expected)) - }, - Entry("no path provided", "git::example.com/repo.git?ref=v1.0.0", "", "git::example.com/repo.git?ref=v1.0.0"), - Entry("path with slashes trimmed", "git::example.com/repo.git?ref=v1.0.0", "/modules/vpc/", "git::example.com/repo.git//modules/vpc?ref=v1.0.0"), - Entry("source without query", "terraform-aws-modules/vpc/aws", "modules/vpc", "terraform-aws-modules/vpc/aws//modules/vpc"), - Entry("source with trailing slash", "terraform-aws-modules/vpc/aws/", "modules/vpc", "terraform-aws-modules/vpc/aws//modules/vpc"), - Entry("empty path after trim", "terraform-aws-modules/vpc/aws", "/", "terraform-aws-modules/vpc/aws"), - Entry("query preserved", "git::https://github.com/org/repo.git?ref=v1.2.3&depth=1", "nested/path", "git::https://github.com/org/repo.git//nested/path?ref=v1.2.3&depth=1"), - ) -}) - func expectManifest(manifestPath, moduleDir string) { manifest := fmt.Sprintf(`{"Modules":[{"Key":"module.%s","Dir":"%s"}]}`, "kratix_target", moduleDir) Expect(os.MkdirAll(filepath.Dir(manifestPath), 0o755)).To(Succeed()) diff --git a/stages/terraform-module-promise/main.go b/stages/terraform-module-promise/main.go index fcaff56..609e153 100644 --- a/stages/terraform-module-promise/main.go +++ b/stages/terraform-module-promise/main.go @@ -17,7 +17,6 @@ func main() { outputDir := GetEnv("KRATIX_OUTPUT_DIR", "/kratix/output") moduleSource := MustHaveEnv("MODULE_SOURCE") moduleRegistryVersion := os.Getenv("MODULE_REGISTRY_VERSION") - modulePath := os.Getenv("MODULE_PATH") // optional yamlContent, err := os.ReadFile(yamlFile) if err != nil { @@ -45,7 +44,7 @@ func main() { uniqueFileName := strings.ToLower(fmt.Sprintf("%s_%s_%s", kind, namespace, name)) - source := internal.BuildModuleSource(moduleSource, modulePath) + source := moduleSource module := map[string]map[string]map[string]any{ "module": { From 62028d6109573b2e50f1dba34f5c2111cdc865b2 Mon Sep 17 00:00:00 2001 From: Jake Date: Wed, 31 Dec 2025 12:17:02 +0000 Subject: [PATCH 06/17] fix: handle mismatch of version and git env vars in stage --- stages/terraform-module-promise/main.go | 8 +++++--- stages/terraform-module-promise/test/stage_test.go | 8 ++++++++ 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/stages/terraform-module-promise/main.go b/stages/terraform-module-promise/main.go index 609e153..b1cc393 100644 --- a/stages/terraform-module-promise/main.go +++ b/stages/terraform-module-promise/main.go @@ -18,6 +18,10 @@ func main() { moduleSource := MustHaveEnv("MODULE_SOURCE") moduleRegistryVersion := os.Getenv("MODULE_REGISTRY_VERSION") + if moduleRegistryVersion != "" && !internal.IsTerraformRegistrySource(moduleSource) { + log.Fatalf("MODULE_REGISTRY_VERSION is only valid for Terraform registry sources (e.g., \"namespace/name/provider\"). For git or local sources, embed the ref directly in MODULE_SOURCE (e.g., \"git::https://github.com/org/repo.git?ref=v1.2.3\"). Provided module_source=%q", moduleSource) + } + yamlContent, err := os.ReadFile(yamlFile) if err != nil { log.Fatalf("Error reading YAML file %s: %v\n", yamlFile, err) @@ -44,12 +48,10 @@ func main() { uniqueFileName := strings.ToLower(fmt.Sprintf("%s_%s_%s", kind, namespace, name)) - source := moduleSource - module := map[string]map[string]map[string]any{ "module": { uniqueFileName: { - "source": source, + "source": moduleSource, }, }, } diff --git a/stages/terraform-module-promise/test/stage_test.go b/stages/terraform-module-promise/test/stage_test.go index 5f8f7a6..c2b9a5d 100644 --- a/stages/terraform-module-promise/test/stage_test.go +++ b/stages/terraform-module-promise/test/stage_test.go @@ -147,4 +147,12 @@ var _ = Describe("From TF module to Promise Stage", func() { Expect(err).NotTo(HaveOccurred()) Expect(string(output)).To(MatchJSON(expectedRegistryOutput)) }) + + It("errors when registry version is used with a non-registry source", func() { + envVars["MODULE_REGISTRY_VERSION"] = "9.9.9" + session := runWithEnv(envVars) + Eventually(session).Should(gexec.Exit()) + Expect(session.ExitCode()).NotTo(Equal(0)) + Expect(session.Err).To(gbytes.Say("MODULE_REGISTRY_VERSION is only valid for Terraform registry sources")) + }) }) From c78f805d82dd9f7673ae4db106e6f10a32f59da5 Mon Sep 17 00:00:00 2001 From: Jake Date: Wed, 31 Dec 2025 12:22:10 +0000 Subject: [PATCH 07/17] codex: add sys test --- internal/terraform_module.go | 4 + test/assets/terraform/vars/simple.hcl | 9 +++ test/init_tf_module_sources_test.go | 105 ++++++++++++++++++++++++++ 3 files changed, 118 insertions(+) create mode 100644 test/assets/terraform/vars/simple.hcl create mode 100644 test/init_tf_module_sources_test.go diff --git a/internal/terraform_module.go b/internal/terraform_module.go index 866dabe..2b778f2 100644 --- a/internal/terraform_module.go +++ b/internal/terraform_module.go @@ -29,6 +29,10 @@ var ( ) func GetVariablesFromModule(moduleSource, moduleRegistryVersion string) ([]TerraformVariable, error) { + if testVarsFile := os.Getenv("KRATIX_TEST_TF_VARS_FILE"); testVarsFile != "" { + return extractVariablesFromVarsFile(testVarsFile) + } + tempDir, err := mkdirTemp("", "terraform-module") if err != nil { return nil, fmt.Errorf("failed to create temp directory: %w", err) diff --git a/test/assets/terraform/vars/simple.hcl b/test/assets/terraform/vars/simple.hcl new file mode 100644 index 0000000..b6f40fb --- /dev/null +++ b/test/assets/terraform/vars/simple.hcl @@ -0,0 +1,9 @@ +variable "name" { + type = string + description = "Name of the resource" +} + +variable "size" { + type = number + default = 1 +} diff --git a/test/init_tf_module_sources_test.go b/test/init_tf_module_sources_test.go new file mode 100644 index 0000000..e68ef48 --- /dev/null +++ b/test/init_tf_module_sources_test.go @@ -0,0 +1,105 @@ +package integration_test + +import ( + "os" + "path/filepath" + + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" + "github.com/onsi/gomega/gbytes" + "github.com/onsi/gomega/gexec" + "sigs.k8s.io/yaml" +) + +var _ = Describe("InitTerraformPromise module sources", func() { + const testVarsFile = "assets/terraform/vars/simple.hcl" + + var ( + r *runner + workingDir string + flags map[string]string + ) + + BeforeEach(func() { + var err error + workingDir, err = os.MkdirTemp("", "kratix-test-sources") + Expect(err).NotTo(HaveOccurred()) + + r = &runner{exitCode: 0} + flags = map[string]string{ + "--group": "example.com", + "--kind": "Example", + "--version": "v1alpha1", + "--dir": workingDir, + "--split": "", + } + }) + + AfterEach(func() { + os.Unsetenv("KRATIX_TEST_TF_VARS_FILE") + Expect(os.RemoveAll(workingDir)).To(Succeed()) + }) + + getWorkflowEnvs := func() map[string]string { + workflowsPath := filepath.Join(workingDir, "workflows", "resource", "configure", "workflow.yaml") + bytes, err := os.ReadFile(workflowsPath) + Expect(err).NotTo(HaveOccurred()) + + var pipelines []map[string]any + Expect(yaml.Unmarshal(bytes, &pipelines)).To(Succeed()) + Expect(pipelines).ToNot(BeEmpty()) + + spec, ok := pipelines[0]["spec"].(map[string]any) + Expect(ok).To(BeTrue()) + containers, ok := spec["containers"].([]any) + Expect(ok).To(BeTrue()) + Expect(containers).ToNot(BeEmpty()) + firstContainer, ok := containers[0].(map[string]any) + Expect(ok).To(BeTrue()) + envList, ok := firstContainer["env"].([]any) + Expect(ok).To(BeTrue()) + + envs := map[string]string{} + for _, item := range envList { + entry, ok := item.(map[string]any) + Expect(ok).To(BeTrue()) + name, _ := entry["name"].(string) + value, _ := entry["value"].(string) + envs[name] = value + } + return envs + } + + DescribeTable("supports module sources and registry versions", + func(source, registryVersion string, expectVersion bool) { + absVarsFile, err := filepath.Abs(testVarsFile) + Expect(err).NotTo(HaveOccurred()) + os.Setenv("KRATIX_TEST_TF_VARS_FILE", absVarsFile) + + flags["--module-source"] = source + if registryVersion != "" { + flags["--module-registry-version"] = registryVersion + } else { + delete(flags, "--module-registry-version") + } + + r.flags = flags + session := r.run("init", "tf-module-promise", "example") + Expect(session).To(gexec.Exit(0)) + Expect(session.Out).To(gbytes.Say("Promise generated successfully")) + + envs := getWorkflowEnvs() + Expect(envs["MODULE_SOURCE"]).To(Equal(source)) + if expectVersion { + Expect(envs).To(HaveKeyWithValue("MODULE_REGISTRY_VERSION", registryVersion)) + } else { + Expect(envs).NotTo(HaveKey("MODULE_REGISTRY_VERSION")) + } + }, + Entry("open source git repo with embedded ref", "git::https://github.com/example/open.git?ref=v1.0.0", "", false), + Entry("private git repo placeholder with ref", "git::ssh://git@github.com/example/private.git?ref=v0.1.0", "", false), + Entry("registry with version", "terraform-aws-modules/vpc/aws", "5.0.0", true), + Entry("nested registry with version", "acme/networking/vpc/aws", "3.2.1", true), + Entry("registry without version", "terraform-providers/random/aws", "", false), + ) +}) From 40abde48313927a15903226928e0dd301659819e Mon Sep 17 00:00:00 2001 From: Jake Date: Wed, 31 Dec 2025 12:32:44 +0000 Subject: [PATCH 08/17] codex: sys test against real world --- internal/terraform_module.go | 4 - .../modules/local/basic/variables.tf | 14 ++ test/assets/terraform/vars/simple.hcl | 9 - test/init_tf_module_sources_test.go | 205 +++++++++++++----- 4 files changed, 164 insertions(+), 68 deletions(-) create mode 100644 test/assets/terraform/modules/local/basic/variables.tf delete mode 100644 test/assets/terraform/vars/simple.hcl diff --git a/internal/terraform_module.go b/internal/terraform_module.go index 2b778f2..866dabe 100644 --- a/internal/terraform_module.go +++ b/internal/terraform_module.go @@ -29,10 +29,6 @@ var ( ) func GetVariablesFromModule(moduleSource, moduleRegistryVersion string) ([]TerraformVariable, error) { - if testVarsFile := os.Getenv("KRATIX_TEST_TF_VARS_FILE"); testVarsFile != "" { - return extractVariablesFromVarsFile(testVarsFile) - } - tempDir, err := mkdirTemp("", "terraform-module") if err != nil { return nil, fmt.Errorf("failed to create temp directory: %w", err) diff --git a/test/assets/terraform/modules/local/basic/variables.tf b/test/assets/terraform/modules/local/basic/variables.tf new file mode 100644 index 0000000..68b6398 --- /dev/null +++ b/test/assets/terraform/modules/local/basic/variables.tf @@ -0,0 +1,14 @@ +variable "name" { + type = string + description = "Name for the resource" +} + +variable "size" { + type = number + default = 1 +} + +variable "tags" { + type = map(string) + default = {} +} diff --git a/test/assets/terraform/vars/simple.hcl b/test/assets/terraform/vars/simple.hcl deleted file mode 100644 index b6f40fb..0000000 --- a/test/assets/terraform/vars/simple.hcl +++ /dev/null @@ -1,9 +0,0 @@ -variable "name" { - type = string - description = "Name of the resource" -} - -variable "size" { - type = number - default = 1 -} diff --git a/test/init_tf_module_sources_test.go b/test/init_tf_module_sources_test.go index e68ef48..5f6935d 100644 --- a/test/init_tf_module_sources_test.go +++ b/test/init_tf_module_sources_test.go @@ -1,7 +1,9 @@ package integration_test import ( + "fmt" "os" + "os/exec" "path/filepath" . "github.com/onsi/ginkgo/v2" @@ -11,8 +13,63 @@ import ( "sigs.k8s.io/yaml" ) -var _ = Describe("InitTerraformPromise module sources", func() { - const testVarsFile = "assets/terraform/vars/simple.hcl" +type moduleTestCase struct { + name string + moduleSource string + moduleRegistryVer string + expectRegistryEnv bool + expectedProperties []string + expectFailure bool + skip bool +} + +var _ = Describe("InitTerraformPromise source integration", func() { + if _, err := exec.LookPath("terraform"); err != nil { + Skip("terraform binary not found in PATH; skipping module source integration tests") + } + + cwd, err := os.Getwd() + Expect(err).NotTo(HaveOccurred()) + localModulePath := filepath.Join(cwd, "assets", "terraform", "modules", "local", "basic") + + cases := []moduleTestCase{ + { + name: "open source git repo with ref", + moduleSource: "git::https://github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v5.7.0", + expectedProperties: []string{"name", "cidr"}, + }, + { + name: "private git repo placeholder", + moduleSource: "git::ssh://git@github.com/example/private-repo.git?ref=v0.1.0", + expectedProperties: []string{}, + expectFailure: true, + skip: true, // enable once credentials/repo exist + }, + { + name: "registry with version", + moduleSource: "terraform-aws-modules/s3-bucket/aws", + moduleRegistryVer: "4.1.2", + expectRegistryEnv: true, + expectedProperties: []string{"bucket"}, + }, + { + name: "nested registry module path with version", + moduleSource: "terraform-aws-modules/vpc/aws//modules/vpc-endpoints", + moduleRegistryVer: "5.7.0", + expectRegistryEnv: true, + expectedProperties: []string{"vpc_id"}, + }, + { + name: "registry without version", + moduleSource: "terraform-aws-modules/vpc/aws", + expectedProperties: []string{"name", "cidr"}, + }, + { + name: "local filesystem module", + moduleSource: localModulePath, + expectedProperties: []string{"name", "size", "tags"}, + }, + } var ( r *runner @@ -25,7 +82,7 @@ var _ = Describe("InitTerraformPromise module sources", func() { workingDir, err = os.MkdirTemp("", "kratix-test-sources") Expect(err).NotTo(HaveOccurred()) - r = &runner{exitCode: 0} + r = &runner{exitCode: 0, Path: os.Getenv("PATH")} flags = map[string]string{ "--group": "example.com", "--kind": "Example", @@ -36,70 +93,108 @@ var _ = Describe("InitTerraformPromise module sources", func() { }) AfterEach(func() { - os.Unsetenv("KRATIX_TEST_TF_VARS_FILE") Expect(os.RemoveAll(workingDir)).To(Succeed()) }) - getWorkflowEnvs := func() map[string]string { - workflowsPath := filepath.Join(workingDir, "workflows", "resource", "configure", "workflow.yaml") - bytes, err := os.ReadFile(workflowsPath) - Expect(err).NotTo(HaveOccurred()) - - var pipelines []map[string]any - Expect(yaml.Unmarshal(bytes, &pipelines)).To(Succeed()) - Expect(pipelines).ToNot(BeEmpty()) - - spec, ok := pipelines[0]["spec"].(map[string]any) - Expect(ok).To(BeTrue()) - containers, ok := spec["containers"].([]any) - Expect(ok).To(BeTrue()) - Expect(containers).ToNot(BeEmpty()) - firstContainer, ok := containers[0].(map[string]any) - Expect(ok).To(BeTrue()) - envList, ok := firstContainer["env"].([]any) - Expect(ok).To(BeTrue()) - - envs := map[string]string{} - for _, item := range envList { - entry, ok := item.(map[string]any) - Expect(ok).To(BeTrue()) - name, _ := entry["name"].(string) - value, _ := entry["value"].(string) - envs[name] = value - } - return envs - } - - DescribeTable("supports module sources and registry versions", - func(source, registryVersion string, expectVersion bool) { - absVarsFile, err := filepath.Abs(testVarsFile) - Expect(err).NotTo(HaveOccurred()) - os.Setenv("KRATIX_TEST_TF_VARS_FILE", absVarsFile) + for _, tc := range cases { + tc := tc + It(fmt.Sprintf("handles %s", tc.name), func() { + if tc.skip { + Skip("pending setup for private repo") + } - flags["--module-source"] = source - if registryVersion != "" { - flags["--module-registry-version"] = registryVersion + flags["--module-source"] = tc.moduleSource + if tc.moduleRegistryVer != "" { + flags["--module-registry-version"] = tc.moduleRegistryVer } else { delete(flags, "--module-registry-version") } - r.flags = flags - session := r.run("init", "tf-module-promise", "example") + runnerArgs := []string{"init", "tf-module-promise", "example"} + + session := r.run(runnerArgs...) + if tc.expectFailure { + Expect(session.ExitCode()).NotTo(Equal(0)) + return + } + Expect(session).To(gexec.Exit(0)) Expect(session.Out).To(gbytes.Say("Promise generated successfully")) - envs := getWorkflowEnvs() - Expect(envs["MODULE_SOURCE"]).To(Equal(source)) - if expectVersion { - Expect(envs).To(HaveKeyWithValue("MODULE_REGISTRY_VERSION", registryVersion)) + envs := readWorkflowEnvs(workingDir) + Expect(envs["MODULE_SOURCE"]).To(Equal(tc.moduleSource)) + if tc.expectRegistryEnv { + Expect(envs).To(HaveKeyWithValue("MODULE_REGISTRY_VERSION", tc.moduleRegistryVer)) } else { Expect(envs).NotTo(HaveKey("MODULE_REGISTRY_VERSION")) } - }, - Entry("open source git repo with embedded ref", "git::https://github.com/example/open.git?ref=v1.0.0", "", false), - Entry("private git repo placeholder with ref", "git::ssh://git@github.com/example/private.git?ref=v0.1.0", "", false), - Entry("registry with version", "terraform-aws-modules/vpc/aws", "5.0.0", true), - Entry("nested registry with version", "acme/networking/vpc/aws", "3.2.1", true), - Entry("registry without version", "terraform-providers/random/aws", "", false), - ) + + specProps := readSpecProperties(workingDir) + for _, prop := range tc.expectedProperties { + Expect(specProps).To(HaveKey(prop)) + } + }) + } }) + +func readWorkflowEnvs(workingDir string) map[string]string { + workflowsPath := filepath.Join(workingDir, "workflows", "resource", "configure", "workflow.yaml") + bytes, err := os.ReadFile(workflowsPath) + Expect(err).NotTo(HaveOccurred()) + + var pipelines []map[string]any + Expect(yaml.Unmarshal(bytes, &pipelines)).To(Succeed()) + Expect(pipelines).ToNot(BeEmpty()) + + spec, ok := pipelines[0]["spec"].(map[string]any) + Expect(ok).To(BeTrue()) + containers, ok := spec["containers"].([]any) + Expect(ok).To(BeTrue()) + Expect(containers).ToNot(BeEmpty()) + firstContainer, ok := containers[0].(map[string]any) + Expect(ok).To(BeTrue()) + envList, ok := firstContainer["env"].([]any) + Expect(ok).To(BeTrue()) + + envs := map[string]string{} + for _, item := range envList { + entry, ok := item.(map[string]any) + Expect(ok).To(BeTrue()) + name, _ := entry["name"].(string) + value, _ := entry["value"].(string) + envs[name] = value + } + return envs +} + +func readSpecProperties(workingDir string) map[string]any { + apiPath := filepath.Join(workingDir, "api.yaml") + contents, err := os.ReadFile(apiPath) + if err != nil { + // fallback to promise.yaml when split not used + contents, err = os.ReadFile(filepath.Join(workingDir, "promise.yaml")) + Expect(err).NotTo(HaveOccurred()) + } + + var doc map[string]any + Expect(yaml.Unmarshal(contents, &doc)).To(Succeed()) + + // If promise.yaml, drill into spec.api + if kind, _ := doc["kind"].(string); kind == "Promise" { + spec, _ := doc["spec"].(map[string]any) + api, _ := spec["api"].(map[string]any) + doc = api + } + + spec, _ := doc["spec"].(map[string]any) + versions, _ := spec["versions"].([]any) + Expect(versions).ToNot(BeEmpty()) + firstVersion, _ := versions[0].(map[string]any) + schema, _ := firstVersion["schema"].(map[string]any) + openAPISchema, _ := schema["openAPIV3Schema"].(map[string]any) + properties, _ := openAPISchema["properties"].(map[string]any) + specProps, _ := properties["spec"].(map[string]any) + propMap, _ := specProps["properties"].(map[string]any) + Expect(propMap).ToNot(BeNil()) + return propMap +} From a147012fd2ee86cadc2075330e29269e89bab169 Mon Sep 17 00:00:00 2001 From: Jake Date: Wed, 31 Dec 2025 12:49:52 +0000 Subject: [PATCH 09/17] codex: improve sys tests --- nested-registry-variables.tf | 81 + registry-variables.tf | 267 +++ .../vars/nested-registry-variables.tf | 81 + .../terraform/vars/registry-variables.tf | 317 ++++ test/assets/terraform/vars/vpc-variables.tf | 1597 +++++++++++++++++ test/init_tf_module_sources_test.go | 209 ++- variables.tf | 1597 +++++++++++++++++ 7 files changed, 4044 insertions(+), 105 deletions(-) create mode 100644 nested-registry-variables.tf create mode 100644 registry-variables.tf create mode 100644 test/assets/terraform/vars/nested-registry-variables.tf create mode 100644 test/assets/terraform/vars/registry-variables.tf create mode 100644 test/assets/terraform/vars/vpc-variables.tf create mode 100644 variables.tf diff --git a/nested-registry-variables.tf b/nested-registry-variables.tf new file mode 100644 index 0000000..30a747a --- /dev/null +++ b/nested-registry-variables.tf @@ -0,0 +1,81 @@ +variable "create" { + description = "Determines whether resources will be created" + type = bool + default = true +} + +variable "vpc_id" { + description = "The ID of the VPC in which the endpoint will be used" + type = string + default = null +} + +variable "endpoints" { + description = "A map of interface and/or gateway endpoints containing their properties and configurations" + type = any + default = {} +} + +variable "security_group_ids" { + description = "Default security group IDs to associate with the VPC endpoints" + type = list(string) + default = [] +} + +variable "subnet_ids" { + description = "Default subnets IDs to associate with the VPC endpoints" + type = list(string) + default = [] +} + +variable "tags" { + description = "A map of tags to use on all resources" + type = map(string) + default = {} +} + +variable "timeouts" { + description = "Define maximum timeout for creating, updating, and deleting VPC endpoint resources" + type = map(string) + default = {} +} + +################################################################################ +# Security Group +################################################################################ + +variable "create_security_group" { + description = "Determines if a security group is created" + type = bool + default = false +} + +variable "security_group_name" { + description = "Name to use on security group created. Conflicts with `security_group_name_prefix`" + type = string + default = null +} + +variable "security_group_name_prefix" { + description = "Name prefix to use on security group created. Conflicts with `security_group_name`" + type = string + default = null +} + +variable "security_group_description" { + description = "Description of the security group created" + type = string + default = null +} + +variable "security_group_rules" { + description = "Security group rules to add to the security group created" + type = any + default = {} +} + +variable "security_group_tags" { + description = "A map of additional tags to add to the security group created" + type = map(string) + default = {} +} diff --git a/registry-variables.tf b/registry-variables.tf new file mode 100644 index 0000000..9a77af7 --- /dev/null +++ b/registry-variables.tf @@ -0,0 +1,267 @@ +Optional Inputs +These variables have default values and don't have to be set to use this module. You may set these variables to override their default values. This module has no required variables. + +acceleration_status string +Description: (Optional) Sets the accelerate configuration of an existing bucket. Can be Enabled or Suspended. + +Default: null + +access_log_delivery_policy_source_accounts list(string) +Description: (Optional) List of AWS Account IDs should be allowed to deliver access logs to this bucket. + +Default: [] + +access_log_delivery_policy_source_buckets list(string) +Description: (Optional) List of S3 bucket ARNs which should be allowed to deliver access logs to this bucket. + +Default: [] + +acl string +Description: (Optional) The canned ACL to apply. Conflicts with `grant` + +Default: null + +allowed_kms_key_arn string +Description: The ARN of KMS key which should be allowed in PutObject + +Default: null + +analytics_configuration any +Description: Map containing bucket analytics configuration. + +Default: {} + +analytics_self_source_destination bool +Description: Whether or not the analytics source bucket is also the destination bucket. + +Default: false + +analytics_source_account_id string +Description: The analytics source account id. + +Default: null + +analytics_source_bucket_arn string +Description: The analytics source bucket ARN. + +Default: null + +attach_access_log_delivery_policy bool +Description: Controls if S3 bucket should have S3 access log delivery policy attached + +Default: false + +attach_analytics_destination_policy bool +Description: Controls if S3 bucket should have bucket analytics destination policy attached. + +Default: false + +attach_deny_incorrect_encryption_headers bool +Description: Controls if S3 bucket should deny incorrect encryption headers policy attached. + +Default: false + +attach_deny_incorrect_kms_key_sse bool +Description: Controls if S3 bucket policy should deny usage of incorrect KMS key SSE. + +Default: false + +attach_deny_insecure_transport_policy bool +Description: Controls if S3 bucket should have deny non-SSL transport policy attached + +Default: false + +attach_deny_unencrypted_object_uploads bool +Description: Controls if S3 bucket should deny unencrypted object uploads policy attached. + +Default: false + +attach_elb_log_delivery_policy bool +Description: Controls if S3 bucket should have ELB log delivery policy attached + +Default: false + +attach_inventory_destination_policy bool +Description: Controls if S3 bucket should have bucket inventory destination policy attached. + +Default: false + +attach_lb_log_delivery_policy bool +Description: Controls if S3 bucket should have ALB/NLB log delivery policy attached + +Default: false + +attach_policy bool +Description: Controls if S3 bucket should have bucket policy attached (set to `true` to use value of `policy` as bucket policy) + +Default: false + +attach_public_policy bool +Description: Controls if a user defined public bucket policy will be attached (set to `false` to allow upstream to apply defaults to the bucket) + +Default: true + +attach_require_latest_tls_policy bool +Description: Controls if S3 bucket should require the latest version of TLS + +Default: false + +block_public_acls bool +Description: Whether Amazon S3 should block public ACLs for this bucket. + +Default: true + +block_public_policy bool +Description: Whether Amazon S3 should block public bucket policies for this bucket. + +Default: true + +bucket string +Description: (Optional, Forces new resource) The name of the bucket. If omitted, Terraform will assign a random, unique name. + +Default: null + +bucket_prefix string +Description: (Optional, Forces new resource) Creates a unique bucket name beginning with the specified prefix. Conflicts with bucket. + +Default: null + +control_object_ownership bool +Description: Whether to manage S3 Bucket Ownership Controls on this bucket. + +Default: false + +cors_rule any +Description: List of maps containing rules for Cross-Origin Resource Sharing. + +Default: [] + +create_bucket bool +Description: Controls if S3 bucket should be created + +Default: true + +expected_bucket_owner string +Description: The account ID of the expected bucket owner + +Default: null + +force_destroy bool +Description: (Optional, Default:false ) A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. + +Default: false + +grant any +Description: An ACL policy grant. Conflicts with `acl` + +Default: [] + +ignore_public_acls bool +Description: Whether Amazon S3 should ignore public ACLs for this bucket. + +Default: true + +intelligent_tiering any +Description: Map containing intelligent tiering configuration. + +Default: {} + +inventory_configuration any +Description: Map containing S3 inventory configuration. + +Default: {} + +inventory_self_source_destination bool +Description: Whether or not the inventory source bucket is also the destination bucket. + +Default: false + +inventory_source_account_id string +Description: The inventory source account id. + +Default: null + +inventory_source_bucket_arn string +Description: The inventory source bucket ARN. + +Default: null + +lifecycle_rule any +Description: List of maps containing configuration of object lifecycle management. + +Default: [] + +logging any +Description: Map containing access bucket logging configuration. + +Default: {} + +metric_configuration any +Description: Map containing bucket metric configuration. + +Default: [] + +object_lock_configuration any +Description: Map containing S3 object locking configuration. + +Default: {} + +object_lock_enabled bool +Description: Whether S3 bucket should have an Object Lock configuration enabled. + +Default: false + +object_ownership string +Description: Object ownership. Valid values: BucketOwnerEnforced, BucketOwnerPreferred or ObjectWriter. 'BucketOwnerEnforced': ACLs are disabled, and the bucket owner automatically owns and has full control over every object in the bucket. 'BucketOwnerPreferred': Objects uploaded to the bucket change ownership to the bucket owner if the objects are uploaded with the bucket-owner-full-control canned ACL. 'ObjectWriter': The uploading account will own the object if the object is uploaded with the bucket-owner-full-control canned ACL. + +Default: "BucketOwnerEnforced" + +owner map(string) +Description: Bucket owner's display name and ID. Conflicts with `acl` + +Default: {} + +policy string +Description: (Optional) A valid bucket policy JSON document. Note that if the policy document is not specific enough (but still valid), Terraform may view the policy as constantly changing in a terraform plan. In this case, please make sure you use the verbose/specific version of the policy. For more information about building AWS IAM policy documents with Terraform, see the AWS IAM Policy Document Guide. + +Default: null + +putin_khuylo bool +Description: Do you agree that Putin doesn't respect Ukrainian sovereignty and territorial integrity? More info: https://en.wikipedia.org/wiki/Putin_khuylo! + +Default: true + +replication_configuration any +Description: Map containing cross-region replication configuration. + +Default: {} + +request_payer string +Description: (Optional) Specifies who should bear the cost of Amazon S3 data transfer. Can be either BucketOwner or Requester. By default, the owner of the S3 bucket would incur the costs of any data transfer. See Requester Pays Buckets developer guide for more information. + +Default: null + +restrict_public_buckets bool +Description: Whether Amazon S3 should restrict public bucket policies for this bucket. + +Default: true + +server_side_encryption_configuration any +Description: Map containing server-side encryption configuration. + +Default: {} + +tags map(string) +Description: (Optional) A mapping of tags to assign to the bucket. + +Default: {} + +versioning map(string) +Description: Map containing versioning configuration. + +Default: {} + +website any +Description: Map containing static web-site hosting or redirect configuration. + +Default: {} diff --git a/test/assets/terraform/vars/nested-registry-variables.tf b/test/assets/terraform/vars/nested-registry-variables.tf new file mode 100644 index 0000000..30a747a --- /dev/null +++ b/test/assets/terraform/vars/nested-registry-variables.tf @@ -0,0 +1,81 @@ +variable "create" { + description = "Determines whether resources will be created" + type = bool + default = true +} + +variable "vpc_id" { + description = "The ID of the VPC in which the endpoint will be used" + type = string + default = null +} + +variable "endpoints" { + description = "A map of interface and/or gateway endpoints containing their properties and configurations" + type = any + default = {} +} + +variable "security_group_ids" { + description = "Default security group IDs to associate with the VPC endpoints" + type = list(string) + default = [] +} + +variable "subnet_ids" { + description = "Default subnets IDs to associate with the VPC endpoints" + type = list(string) + default = [] +} + +variable "tags" { + description = "A map of tags to use on all resources" + type = map(string) + default = {} +} + +variable "timeouts" { + description = "Define maximum timeout for creating, updating, and deleting VPC endpoint resources" + type = map(string) + default = {} +} + +################################################################################ +# Security Group +################################################################################ + +variable "create_security_group" { + description = "Determines if a security group is created" + type = bool + default = false +} + +variable "security_group_name" { + description = "Name to use on security group created. Conflicts with `security_group_name_prefix`" + type = string + default = null +} + +variable "security_group_name_prefix" { + description = "Name prefix to use on security group created. Conflicts with `security_group_name`" + type = string + default = null +} + +variable "security_group_description" { + description = "Description of the security group created" + type = string + default = null +} + +variable "security_group_rules" { + description = "Security group rules to add to the security group created" + type = any + default = {} +} + +variable "security_group_tags" { + description = "A map of additional tags to add to the security group created" + type = map(string) + default = {} +} diff --git a/test/assets/terraform/vars/registry-variables.tf b/test/assets/terraform/vars/registry-variables.tf new file mode 100644 index 0000000..95e0cb4 --- /dev/null +++ b/test/assets/terraform/vars/registry-variables.tf @@ -0,0 +1,317 @@ +variable "create_bucket" { + description = "Controls if S3 bucket should be created" + type = bool + default = true +} + +variable "attach_elb_log_delivery_policy" { + description = "Controls if S3 bucket should have ELB log delivery policy attached" + type = bool + default = false +} + +variable "attach_lb_log_delivery_policy" { + description = "Controls if S3 bucket should have ALB/NLB log delivery policy attached" + type = bool + default = false +} + +variable "attach_access_log_delivery_policy" { + description = "Controls if S3 bucket should have S3 access log delivery policy attached" + type = bool + default = false +} + +variable "attach_deny_insecure_transport_policy" { + description = "Controls if S3 bucket should have deny non-SSL transport policy attached" + type = bool + default = false +} + +variable "attach_require_latest_tls_policy" { + description = "Controls if S3 bucket should require the latest version of TLS" + type = bool + default = false +} + +variable "attach_policy" { + description = "Controls if S3 bucket should have bucket policy attached (set to `true` to use value of `policy` as bucket policy)" + type = bool + default = false +} + +variable "attach_public_policy" { + description = "Controls if a user defined public bucket policy will be attached (set to `false` to allow upstream to apply defaults to the bucket)" + type = bool + default = true +} + +variable "attach_inventory_destination_policy" { + description = "Controls if S3 bucket should have bucket inventory destination policy attached." + type = bool + default = false +} + +variable "attach_analytics_destination_policy" { + description = "Controls if S3 bucket should have bucket analytics destination policy attached." + type = bool + default = false +} + +variable "attach_deny_incorrect_encryption_headers" { + description = "Controls if S3 bucket should deny incorrect encryption headers policy attached." + type = bool + default = false +} + +variable "attach_deny_incorrect_kms_key_sse" { + description = "Controls if S3 bucket policy should deny usage of incorrect KMS key SSE." + type = bool + default = false +} + +variable "allowed_kms_key_arn" { + description = "The ARN of KMS key which should be allowed in PutObject" + type = string + default = null +} + +variable "attach_deny_unencrypted_object_uploads" { + description = "Controls if S3 bucket should deny unencrypted object uploads policy attached." + type = bool + default = false +} + +variable "bucket" { + description = "(Optional, Forces new resource) The name of the bucket. If omitted, Terraform will assign a random, unique name." + type = string + default = null +} + +variable "bucket_prefix" { + description = "(Optional, Forces new resource) Creates a unique bucket name beginning with the specified prefix. Conflicts with bucket." + type = string + default = null +} + +variable "acl" { + description = "(Optional) The canned ACL to apply. Conflicts with `grant`" + type = string + default = null +} + +variable "policy" { + description = "(Optional) A valid bucket policy JSON document. Note that if the policy document is not specific enough (but still valid), Terraform may view the policy as constantly changing in a terraform plan. In this case, please make sure you use the verbose/specific version of the policy. For more information about building AWS IAM policy documents with Terraform, see the AWS IAM Policy Document Guide." + type = string + default = null +} + +variable "tags" { + description = "(Optional) A mapping of tags to assign to the bucket." + type = map(string) + default = {} +} + +variable "force_destroy" { + description = "(Optional, Default:false ) A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable." + type = bool + default = false +} + +variable "acceleration_status" { + description = "(Optional) Sets the accelerate configuration of an existing bucket. Can be Enabled or Suspended." + type = string + default = null +} + +variable "request_payer" { + description = "(Optional) Specifies who should bear the cost of Amazon S3 data transfer. Can be either BucketOwner or Requester. By default, the owner of the S3 bucket would incur the costs of any data transfer. See Requester Pays Buckets developer guide for more information." + type = string + default = null +} + +variable "website" { + description = "Map containing static web-site hosting or redirect configuration." + type = any # map(string) + default = {} +} + +variable "cors_rule" { + description = "List of maps containing rules for Cross-Origin Resource Sharing." + type = any + default = [] +} + +variable "versioning" { + description = "Map containing versioning configuration." + type = map(string) + default = {} +} + +variable "logging" { + description = "Map containing access bucket logging configuration." + type = any + default = {} +} + +variable "access_log_delivery_policy_source_buckets" { + description = "(Optional) List of S3 bucket ARNs which should be allowed to deliver access logs to this bucket." + type = list(string) + default = [] +} + +variable "access_log_delivery_policy_source_accounts" { + description = "(Optional) List of AWS Account IDs should be allowed to deliver access logs to this bucket." + type = list(string) + default = [] +} + +variable "grant" { + description = "An ACL policy grant. Conflicts with `acl`" + type = any + default = [] +} + +variable "owner" { + description = "Bucket owner's display name and ID. Conflicts with `acl`" + type = map(string) + default = {} +} + +variable "expected_bucket_owner" { + description = "The account ID of the expected bucket owner" + type = string + default = null +} + +variable "lifecycle_rule" { + description = "List of maps containing configuration of object lifecycle management." + type = any + default = [] +} + +variable "replication_configuration" { + description = "Map containing cross-region replication configuration." + type = any + default = {} +} + +variable "server_side_encryption_configuration" { + description = "Map containing server-side encryption configuration." + type = any + default = {} +} + +variable "intelligent_tiering" { + description = "Map containing intelligent tiering configuration." + type = any + default = {} +} + +variable "object_lock_configuration" { + description = "Map containing S3 object locking configuration." + type = any + default = {} +} + +variable "metric_configuration" { + description = "Map containing bucket metric configuration." + type = any + default = [] +} + +variable "inventory_configuration" { + description = "Map containing S3 inventory configuration." + type = any + default = {} +} + +variable "inventory_source_account_id" { + description = "The inventory source account id." + type = string + default = null +} + +variable "inventory_source_bucket_arn" { + description = "The inventory source bucket ARN." + type = string + default = null +} + +variable "inventory_self_source_destination" { + description = "Whether or not the inventory source bucket is also the destination bucket." + type = bool + default = false +} + +variable "analytics_configuration" { + description = "Map containing bucket analytics configuration." + type = any + default = {} +} + +variable "analytics_source_account_id" { + description = "The analytics source account id." + type = string + default = null +} + +variable "analytics_source_bucket_arn" { + description = "The analytics source bucket ARN." + type = string + default = null +} + +variable "analytics_self_source_destination" { + description = "Whether or not the analytics source bucket is also the destination bucket." + type = bool + default = false +} + +variable "object_lock_enabled" { + description = "Whether S3 bucket should have an Object Lock configuration enabled." + type = bool + default = false +} + +variable "block_public_acls" { + description = "Whether Amazon S3 should block public ACLs for this bucket." + type = bool + default = true +} + +variable "block_public_policy" { + description = "Whether Amazon S3 should block public bucket policies for this bucket." + type = bool + default = true +} + +variable "ignore_public_acls" { + description = "Whether Amazon S3 should ignore public ACLs for this bucket." + type = bool + default = true +} + +variable "restrict_public_buckets" { + description = "Whether Amazon S3 should restrict public bucket policies for this bucket." + type = bool + default = true +} + +variable "control_object_ownership" { + description = "Whether to manage S3 Bucket Ownership Controls on this bucket." + type = bool + default = false +} + +variable "object_ownership" { + description = "Object ownership. Valid values: BucketOwnerEnforced, BucketOwnerPreferred or ObjectWriter. 'BucketOwnerEnforced': ACLs are disabled, and the bucket owner automatically owns and has full control over every object in the bucket. 'BucketOwnerPreferred': Objects uploaded to the bucket change ownership to the bucket owner if the objects are uploaded with the bucket-owner-full-control canned ACL. 'ObjectWriter': The uploading account will own the object if the object is uploaded with the bucket-owner-full-control canned ACL." + type = string + default = "BucketOwnerEnforced" +} + +variable "putin_khuylo" { + description = "Do you agree that Putin doesn't respect Ukrainian sovereignty and territorial integrity? More info: https://en.wikipedia.org/wiki/Putin_khuylo!" + type = bool + default = true +} diff --git a/test/assets/terraform/vars/vpc-variables.tf b/test/assets/terraform/vars/vpc-variables.tf new file mode 100644 index 0000000..ce81d68 --- /dev/null +++ b/test/assets/terraform/vars/vpc-variables.tf @@ -0,0 +1,1597 @@ +################################################################################ +# VPC +################################################################################ + +variable "create_vpc" { + description = "Controls if VPC should be created (it affects almost all resources)" + type = bool + default = true +} + +variable "name" { + description = "Name to be used on all the resources as identifier" + type = string + default = "" +} + +variable "cidr" { + description = "(Optional) The IPv4 CIDR block for the VPC. CIDR can be explicitly set or it can be derived from IPAM using `ipv4_netmask_length` & `ipv4_ipam_pool_id`" + type = string + default = "10.0.0.0/16" +} + +variable "secondary_cidr_blocks" { + description = "List of secondary CIDR blocks to associate with the VPC to extend the IP Address pool" + type = list(string) + default = [] +} + +variable "instance_tenancy" { + description = "A tenancy option for instances launched into the VPC" + type = string + default = "default" +} + +variable "azs" { + description = "A list of availability zones names or ids in the region" + type = list(string) + default = [] +} + +variable "enable_dns_hostnames" { + description = "Should be true to enable DNS hostnames in the VPC" + type = bool + default = true +} + +variable "enable_dns_support" { + description = "Should be true to enable DNS support in the VPC" + type = bool + default = true +} + +variable "enable_network_address_usage_metrics" { + description = "Determines whether network address usage metrics are enabled for the VPC" + type = bool + default = null +} + +variable "use_ipam_pool" { + description = "Determines whether IPAM pool is used for CIDR allocation" + type = bool + default = false +} + +variable "ipv4_ipam_pool_id" { + description = "(Optional) The ID of an IPv4 IPAM pool you want to use for allocating this VPC's CIDR" + type = string + default = null +} + +variable "ipv4_netmask_length" { + description = "(Optional) The netmask length of the IPv4 CIDR you want to allocate to this VPC. Requires specifying a ipv4_ipam_pool_id" + type = number + default = null +} + +variable "enable_ipv6" { + description = "Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block" + type = bool + default = false +} + +variable "ipv6_cidr" { + description = "(Optional) IPv6 CIDR block to request from an IPAM Pool. Can be set explicitly or derived from IPAM using `ipv6_netmask_length`" + type = string + default = null +} + +variable "ipv6_ipam_pool_id" { + description = "(Optional) IPAM Pool ID for a IPv6 pool. Conflicts with `assign_generated_ipv6_cidr_block`" + type = string + default = null +} + +variable "ipv6_netmask_length" { + description = "(Optional) Netmask length to request from IPAM Pool. Conflicts with `ipv6_cidr_block`. This can be omitted if IPAM pool as a `allocation_default_netmask_length` set. Valid values: `56`" + type = number + default = null +} + +variable "ipv6_cidr_block_network_border_group" { + description = "By default when an IPv6 CIDR is assigned to a VPC a default ipv6_cidr_block_network_border_group will be set to the region of the VPC. This can be changed to restrict advertisement of public addresses to specific Network Border Groups such as LocalZones" + type = string + default = null +} + +variable "vpc_tags" { + description = "Additional tags for the VPC" + type = map(string) + default = {} +} + +variable "tags" { + description = "A map of tags to add to all resources" + type = map(string) + default = {} +} + +################################################################################ +# DHCP Options Set +################################################################################ + +variable "enable_dhcp_options" { + description = "Should be true if you want to specify a DHCP options set with a custom domain name, DNS servers, NTP servers, netbios servers, and/or netbios server type" + type = bool + default = false +} + +variable "dhcp_options_domain_name" { + description = "Specifies DNS name for DHCP options set (requires enable_dhcp_options set to true)" + type = string + default = "" +} + +variable "dhcp_options_domain_name_servers" { + description = "Specify a list of DNS server addresses for DHCP options set, default to AWS provided (requires enable_dhcp_options set to true)" + type = list(string) + default = ["AmazonProvidedDNS"] +} + +variable "dhcp_options_ntp_servers" { + description = "Specify a list of NTP servers for DHCP options set (requires enable_dhcp_options set to true)" + type = list(string) + default = [] +} + +variable "dhcp_options_netbios_name_servers" { + description = "Specify a list of netbios servers for DHCP options set (requires enable_dhcp_options set to true)" + type = list(string) + default = [] +} + +variable "dhcp_options_netbios_node_type" { + description = "Specify netbios node_type for DHCP options set (requires enable_dhcp_options set to true)" + type = string + default = "" +} + +variable "dhcp_options_tags" { + description = "Additional tags for the DHCP option set (requires enable_dhcp_options set to true)" + type = map(string) + default = {} +} + +################################################################################ +# Publiс Subnets +################################################################################ + +variable "public_subnets" { + description = "A list of public subnets inside the VPC" + type = list(string) + default = [] +} + +variable "public_subnet_assign_ipv6_address_on_creation" { + description = "Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false`" + type = bool + default = false +} + +variable "public_subnet_enable_dns64" { + description = "Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true`" + type = bool + default = true +} + +variable "public_subnet_enable_resource_name_dns_aaaa_record_on_launch" { + description = "Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true`" + type = bool + default = true +} + +variable "public_subnet_enable_resource_name_dns_a_record_on_launch" { + description = "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false`" + type = bool + default = false +} + +variable "public_subnet_ipv6_prefixes" { + description = "Assigns IPv6 public subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list" + type = list(string) + default = [] +} + +variable "public_subnet_ipv6_native" { + description = "Indicates whether to create an IPv6-only subnet. Default: `false`" + type = bool + default = false +} + +variable "map_public_ip_on_launch" { + description = "Specify true to indicate that instances launched into the subnet should be assigned a public IP address. Default is `false`" + type = bool + default = false +} + +variable "public_subnet_private_dns_hostname_type_on_launch" { + description = "The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name`" + type = string + default = null +} + +variable "public_subnet_names" { + description = "Explicit values to use in the Name tag on public subnets. If empty, Name tags are generated" + type = list(string) + default = [] +} + +variable "public_subnet_suffix" { + description = "Suffix to append to public subnets name" + type = string + default = "public" +} + +variable "public_subnet_tags" { + description = "Additional tags for the public subnets" + type = map(string) + default = {} +} + +variable "public_subnet_tags_per_az" { + description = "Additional tags for the public subnets where the primary key is the AZ" + type = map(map(string)) + default = {} +} + +variable "public_route_table_tags" { + description = "Additional tags for the public route tables" + type = map(string) + default = {} +} + +################################################################################ +# Public Network ACLs +################################################################################ + +variable "public_dedicated_network_acl" { + description = "Whether to use dedicated network ACL (not default) and custom rules for public subnets" + type = bool + default = false +} + +variable "public_inbound_acl_rules" { + description = "Public subnets inbound network ACLs" + type = list(map(string)) + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] +} + +variable "public_outbound_acl_rules" { + description = "Public subnets outbound network ACLs" + type = list(map(string)) + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] +} + +variable "public_acl_tags" { + description = "Additional tags for the public subnets network ACL" + type = map(string) + default = {} +} + +################################################################################ +# Private Subnets +################################################################################ + +variable "private_subnets" { + description = "A list of private subnets inside the VPC" + type = list(string) + default = [] +} + +variable "private_subnet_assign_ipv6_address_on_creation" { + description = "Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false`" + type = bool + default = false +} + +variable "private_subnet_enable_dns64" { + description = "Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true`" + type = bool + default = true +} + +variable "private_subnet_enable_resource_name_dns_aaaa_record_on_launch" { + description = "Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true`" + type = bool + default = true +} + +variable "private_subnet_enable_resource_name_dns_a_record_on_launch" { + description = "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false`" + type = bool + default = false +} + +variable "private_subnet_ipv6_prefixes" { + description = "Assigns IPv6 private subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list" + type = list(string) + default = [] +} + +variable "private_subnet_ipv6_native" { + description = "Indicates whether to create an IPv6-only subnet. Default: `false`" + type = bool + default = false +} + +variable "private_subnet_private_dns_hostname_type_on_launch" { + description = "The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name`" + type = string + default = null +} + +variable "private_subnet_names" { + description = "Explicit values to use in the Name tag on private subnets. If empty, Name tags are generated" + type = list(string) + default = [] +} + +variable "private_subnet_suffix" { + description = "Suffix to append to private subnets name" + type = string + default = "private" +} + +variable "private_subnet_tags" { + description = "Additional tags for the private subnets" + type = map(string) + default = {} +} + +variable "private_subnet_tags_per_az" { + description = "Additional tags for the private subnets where the primary key is the AZ" + type = map(map(string)) + default = {} +} + +variable "private_route_table_tags" { + description = "Additional tags for the private route tables" + type = map(string) + default = {} +} + +################################################################################ +# Private Network ACLs +################################################################################ + +variable "private_dedicated_network_acl" { + description = "Whether to use dedicated network ACL (not default) and custom rules for private subnets" + type = bool + default = false +} + +variable "private_inbound_acl_rules" { + description = "Private subnets inbound network ACLs" + type = list(map(string)) + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] +} + +variable "private_outbound_acl_rules" { + description = "Private subnets outbound network ACLs" + type = list(map(string)) + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] +} + +variable "private_acl_tags" { + description = "Additional tags for the private subnets network ACL" + type = map(string) + default = {} +} + +################################################################################ +# Database Subnets +################################################################################ + +variable "database_subnets" { + description = "A list of database subnets inside the VPC" + type = list(string) + default = [] +} + +variable "database_subnet_assign_ipv6_address_on_creation" { + description = "Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false`" + type = bool + default = false +} + +variable "database_subnet_enable_dns64" { + description = "Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true`" + type = bool + default = true +} + +variable "database_subnet_enable_resource_name_dns_aaaa_record_on_launch" { + description = "Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true`" + type = bool + default = true +} + +variable "database_subnet_enable_resource_name_dns_a_record_on_launch" { + description = "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false`" + type = bool + default = false +} + +variable "database_subnet_ipv6_prefixes" { + description = "Assigns IPv6 database subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list" + type = list(string) + default = [] +} + +variable "database_subnet_ipv6_native" { + description = "Indicates whether to create an IPv6-only subnet. Default: `false`" + type = bool + default = false +} + +variable "database_subnet_private_dns_hostname_type_on_launch" { + description = "The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name`" + type = string + default = null +} + +variable "database_subnet_names" { + description = "Explicit values to use in the Name tag on database subnets. If empty, Name tags are generated" + type = list(string) + default = [] +} + +variable "database_subnet_suffix" { + description = "Suffix to append to database subnets name" + type = string + default = "db" +} + +variable "create_database_subnet_route_table" { + description = "Controls if separate route table for database should be created" + type = bool + default = false +} + +variable "create_database_internet_gateway_route" { + description = "Controls if an internet gateway route for public database access should be created" + type = bool + default = false +} + +variable "create_database_nat_gateway_route" { + description = "Controls if a nat gateway route should be created to give internet access to the database subnets" + type = bool + default = false +} + +variable "database_route_table_tags" { + description = "Additional tags for the database route tables" + type = map(string) + default = {} +} + +variable "database_subnet_tags" { + description = "Additional tags for the database subnets" + type = map(string) + default = {} +} + +variable "create_database_subnet_group" { + description = "Controls if database subnet group should be created (n.b. database_subnets must also be set)" + type = bool + default = true +} + +variable "database_subnet_group_name" { + description = "Name of database subnet group" + type = string + default = null +} + +variable "database_subnet_group_tags" { + description = "Additional tags for the database subnet group" + type = map(string) + default = {} +} + +################################################################################ +# Database Network ACLs +################################################################################ + +variable "database_dedicated_network_acl" { + description = "Whether to use dedicated network ACL (not default) and custom rules for database subnets" + type = bool + default = false +} + +variable "database_inbound_acl_rules" { + description = "Database subnets inbound network ACL rules" + type = list(map(string)) + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] +} + +variable "database_outbound_acl_rules" { + description = "Database subnets outbound network ACL rules" + type = list(map(string)) + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] +} + +variable "database_acl_tags" { + description = "Additional tags for the database subnets network ACL" + type = map(string) + default = {} +} + +################################################################################ +# Redshift Subnets +################################################################################ + +variable "redshift_subnets" { + description = "A list of redshift subnets inside the VPC" + type = list(string) + default = [] +} + +variable "redshift_subnet_assign_ipv6_address_on_creation" { + description = "Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false`" + type = bool + default = false +} + +variable "redshift_subnet_enable_dns64" { + description = "Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true`" + type = bool + default = true +} + +variable "redshift_subnet_enable_resource_name_dns_aaaa_record_on_launch" { + description = "Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true`" + type = bool + default = true +} + +variable "redshift_subnet_enable_resource_name_dns_a_record_on_launch" { + description = "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false`" + type = bool + default = false +} + +variable "redshift_subnet_ipv6_prefixes" { + description = "Assigns IPv6 redshift subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list" + type = list(string) + default = [] +} + +variable "redshift_subnet_ipv6_native" { + description = "Indicates whether to create an IPv6-only subnet. Default: `false`" + type = bool + default = false +} + +variable "redshift_subnet_private_dns_hostname_type_on_launch" { + description = "The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name`" + type = string + default = null +} + +variable "redshift_subnet_names" { + description = "Explicit values to use in the Name tag on redshift subnets. If empty, Name tags are generated" + type = list(string) + default = [] +} + +variable "redshift_subnet_suffix" { + description = "Suffix to append to redshift subnets name" + type = string + default = "redshift" +} + +variable "enable_public_redshift" { + description = "Controls if redshift should have public routing table" + type = bool + default = false +} + +variable "create_redshift_subnet_route_table" { + description = "Controls if separate route table for redshift should be created" + type = bool + default = false +} + +variable "redshift_route_table_tags" { + description = "Additional tags for the redshift route tables" + type = map(string) + default = {} +} + +variable "redshift_subnet_tags" { + description = "Additional tags for the redshift subnets" + type = map(string) + default = {} +} + +variable "create_redshift_subnet_group" { + description = "Controls if redshift subnet group should be created" + type = bool + default = true +} + +variable "redshift_subnet_group_name" { + description = "Name of redshift subnet group" + type = string + default = null +} + +variable "redshift_subnet_group_tags" { + description = "Additional tags for the redshift subnet group" + type = map(string) + default = {} +} + +################################################################################ +# Redshift Network ACLs +################################################################################ + +variable "redshift_dedicated_network_acl" { + description = "Whether to use dedicated network ACL (not default) and custom rules for redshift subnets" + type = bool + default = false +} + +variable "redshift_inbound_acl_rules" { + description = "Redshift subnets inbound network ACL rules" + type = list(map(string)) + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] +} + +variable "redshift_outbound_acl_rules" { + description = "Redshift subnets outbound network ACL rules" + type = list(map(string)) + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] +} + +variable "redshift_acl_tags" { + description = "Additional tags for the redshift subnets network ACL" + type = map(string) + default = {} +} + +################################################################################ +# Elasticache Subnets +################################################################################ + +variable "elasticache_subnets" { + description = "A list of elasticache subnets inside the VPC" + type = list(string) + default = [] +} + +variable "elasticache_subnet_assign_ipv6_address_on_creation" { + description = "Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false`" + type = bool + default = false +} + +variable "elasticache_subnet_enable_dns64" { + description = "Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true`" + type = bool + default = true +} + +variable "elasticache_subnet_enable_resource_name_dns_aaaa_record_on_launch" { + description = "Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true`" + type = bool + default = true +} + +variable "elasticache_subnet_enable_resource_name_dns_a_record_on_launch" { + description = "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false`" + type = bool + default = false +} + +variable "elasticache_subnet_ipv6_prefixes" { + description = "Assigns IPv6 elasticache subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list" + type = list(string) + default = [] +} + +variable "elasticache_subnet_ipv6_native" { + description = "Indicates whether to create an IPv6-only subnet. Default: `false`" + type = bool + default = false +} + +variable "elasticache_subnet_private_dns_hostname_type_on_launch" { + description = "The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name`" + type = string + default = null +} + +variable "elasticache_subnet_names" { + description = "Explicit values to use in the Name tag on elasticache subnets. If empty, Name tags are generated" + type = list(string) + default = [] +} + +variable "elasticache_subnet_suffix" { + description = "Suffix to append to elasticache subnets name" + type = string + default = "elasticache" +} + +variable "elasticache_subnet_tags" { + description = "Additional tags for the elasticache subnets" + type = map(string) + default = {} +} + +variable "create_elasticache_subnet_route_table" { + description = "Controls if separate route table for elasticache should be created" + type = bool + default = false +} + +variable "elasticache_route_table_tags" { + description = "Additional tags for the elasticache route tables" + type = map(string) + default = {} +} + +variable "create_elasticache_subnet_group" { + description = "Controls if elasticache subnet group should be created" + type = bool + default = true +} + +variable "elasticache_subnet_group_name" { + description = "Name of elasticache subnet group" + type = string + default = null +} + +variable "elasticache_subnet_group_tags" { + description = "Additional tags for the elasticache subnet group" + type = map(string) + default = {} +} + +################################################################################ +# Elasticache Network ACLs +################################################################################ + +variable "elasticache_dedicated_network_acl" { + description = "Whether to use dedicated network ACL (not default) and custom rules for elasticache subnets" + type = bool + default = false +} + +variable "elasticache_inbound_acl_rules" { + description = "Elasticache subnets inbound network ACL rules" + type = list(map(string)) + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] +} + +variable "elasticache_outbound_acl_rules" { + description = "Elasticache subnets outbound network ACL rules" + type = list(map(string)) + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] +} + +variable "elasticache_acl_tags" { + description = "Additional tags for the elasticache subnets network ACL" + type = map(string) + default = {} +} + +################################################################################ +# Intra Subnets +################################################################################ + +variable "intra_subnets" { + description = "A list of intra subnets inside the VPC" + type = list(string) + default = [] +} + +variable "intra_subnet_assign_ipv6_address_on_creation" { + description = "Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false`" + type = bool + default = false +} + +variable "intra_subnet_enable_dns64" { + description = "Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true`" + type = bool + default = true +} + +variable "intra_subnet_enable_resource_name_dns_aaaa_record_on_launch" { + description = "Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true`" + type = bool + default = true +} + +variable "intra_subnet_enable_resource_name_dns_a_record_on_launch" { + description = "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false`" + type = bool + default = false +} + +variable "intra_subnet_ipv6_prefixes" { + description = "Assigns IPv6 intra subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list" + type = list(string) + default = [] +} + +variable "intra_subnet_ipv6_native" { + description = "Indicates whether to create an IPv6-only subnet. Default: `false`" + type = bool + default = false +} + +variable "intra_subnet_private_dns_hostname_type_on_launch" { + description = "The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name`" + type = string + default = null +} + +variable "intra_subnet_names" { + description = "Explicit values to use in the Name tag on intra subnets. If empty, Name tags are generated" + type = list(string) + default = [] +} + +variable "intra_subnet_suffix" { + description = "Suffix to append to intra subnets name" + type = string + default = "intra" +} + +variable "intra_subnet_tags" { + description = "Additional tags for the intra subnets" + type = map(string) + default = {} +} + +variable "intra_route_table_tags" { + description = "Additional tags for the intra route tables" + type = map(string) + default = {} +} + +################################################################################ +# Intra Network ACLs +################################################################################ + +variable "intra_dedicated_network_acl" { + description = "Whether to use dedicated network ACL (not default) and custom rules for intra subnets" + type = bool + default = false +} + +variable "intra_inbound_acl_rules" { + description = "Intra subnets inbound network ACLs" + type = list(map(string)) + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] +} + +variable "intra_outbound_acl_rules" { + description = "Intra subnets outbound network ACLs" + type = list(map(string)) + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] +} + +variable "intra_acl_tags" { + description = "Additional tags for the intra subnets network ACL" + type = map(string) + default = {} +} + +################################################################################ +# Outpost Subnets +################################################################################ + +variable "outpost_subnets" { + description = "A list of outpost subnets inside the VPC" + type = list(string) + default = [] +} + +variable "outpost_subnet_assign_ipv6_address_on_creation" { + description = "Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false`" + type = bool + default = false +} + +variable "outpost_az" { + description = "AZ where Outpost is anchored" + type = string + default = null +} + +variable "customer_owned_ipv4_pool" { + description = "The customer owned IPv4 address pool. Typically used with the `map_customer_owned_ip_on_launch` argument. The `outpost_arn` argument must be specified when configured" + type = string + default = null +} + +variable "outpost_subnet_enable_dns64" { + description = "Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true`" + type = bool + default = true +} + +variable "outpost_subnet_enable_resource_name_dns_aaaa_record_on_launch" { + description = "Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true`" + type = bool + default = true +} + +variable "outpost_subnet_enable_resource_name_dns_a_record_on_launch" { + description = "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false`" + type = bool + default = false +} + +variable "outpost_subnet_ipv6_prefixes" { + description = "Assigns IPv6 outpost subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list" + type = list(string) + default = [] +} + +variable "outpost_subnet_ipv6_native" { + description = "Indicates whether to create an IPv6-only subnet. Default: `false`" + type = bool + default = false +} + +variable "map_customer_owned_ip_on_launch" { + description = "Specify true to indicate that network interfaces created in the subnet should be assigned a customer owned IP address. The `customer_owned_ipv4_pool` and `outpost_arn` arguments must be specified when set to `true`. Default is `false`" + type = bool + default = false +} + +variable "outpost_arn" { + description = "ARN of Outpost you want to create a subnet in" + type = string + default = null +} + +variable "outpost_subnet_private_dns_hostname_type_on_launch" { + description = "The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name`" + type = string + default = null +} + +variable "outpost_subnet_names" { + description = "Explicit values to use in the Name tag on outpost subnets. If empty, Name tags are generated" + type = list(string) + default = [] +} + +variable "outpost_subnet_suffix" { + description = "Suffix to append to outpost subnets name" + type = string + default = "outpost" +} + +variable "outpost_subnet_tags" { + description = "Additional tags for the outpost subnets" + type = map(string) + default = {} +} + +################################################################################ +# Outpost Network ACLs +################################################################################ + +variable "outpost_dedicated_network_acl" { + description = "Whether to use dedicated network ACL (not default) and custom rules for outpost subnets" + type = bool + default = false +} + +variable "outpost_inbound_acl_rules" { + description = "Outpost subnets inbound network ACLs" + type = list(map(string)) + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] +} + +variable "outpost_outbound_acl_rules" { + description = "Outpost subnets outbound network ACLs" + type = list(map(string)) + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] +} + +variable "outpost_acl_tags" { + description = "Additional tags for the outpost subnets network ACL" + type = map(string) + default = {} +} + +################################################################################ +# Internet Gateway +################################################################################ + +variable "create_igw" { + description = "Controls if an Internet Gateway is created for public subnets and the related routes that connect them" + type = bool + default = true +} + +variable "create_egress_only_igw" { + description = "Controls if an Egress Only Internet Gateway is created and its related routes" + type = bool + default = true +} + +variable "igw_tags" { + description = "Additional tags for the internet gateway" + type = map(string) + default = {} +} + +################################################################################ +# NAT Gateway +################################################################################ + +variable "enable_nat_gateway" { + description = "Should be true if you want to provision NAT Gateways for each of your private networks" + type = bool + default = false +} + +variable "nat_gateway_destination_cidr_block" { + description = "Used to pass a custom destination route for private NAT Gateway. If not specified, the default 0.0.0.0/0 is used as a destination route" + type = string + default = "0.0.0.0/0" +} + +variable "single_nat_gateway" { + description = "Should be true if you want to provision a single shared NAT Gateway across all of your private networks" + type = bool + default = false +} + +variable "one_nat_gateway_per_az" { + description = "Should be true if you want only one NAT Gateway per availability zone. Requires `var.azs` to be set, and the number of `public_subnets` created to be greater than or equal to the number of availability zones specified in `var.azs`" + type = bool + default = false +} + +variable "reuse_nat_ips" { + description = "Should be true if you don't want EIPs to be created for your NAT Gateways and will instead pass them in via the 'external_nat_ip_ids' variable" + type = bool + default = false +} + +variable "external_nat_ip_ids" { + description = "List of EIP IDs to be assigned to the NAT Gateways (used in combination with reuse_nat_ips)" + type = list(string) + default = [] +} + +variable "external_nat_ips" { + description = "List of EIPs to be used for `nat_public_ips` output (used in combination with reuse_nat_ips and external_nat_ip_ids)" + type = list(string) + default = [] +} + +variable "nat_gateway_tags" { + description = "Additional tags for the NAT gateways" + type = map(string) + default = {} +} + +variable "nat_eip_tags" { + description = "Additional tags for the NAT EIP" + type = map(string) + default = {} +} + +################################################################################ +# Customer Gateways +################################################################################ + +variable "customer_gateways" { + description = "Maps of Customer Gateway's attributes (BGP ASN and Gateway's Internet-routable external IP address)" + type = map(map(any)) + default = {} +} + +variable "customer_gateway_tags" { + description = "Additional tags for the Customer Gateway" + type = map(string) + default = {} +} + +################################################################################ +# VPN Gateway +################################################################################ + +variable "enable_vpn_gateway" { + description = "Should be true if you want to create a new VPN Gateway resource and attach it to the VPC" + type = bool + default = false +} + +variable "vpn_gateway_id" { + description = "ID of VPN Gateway to attach to the VPC" + type = string + default = "" +} + +variable "amazon_side_asn" { + description = "The Autonomous System Number (ASN) for the Amazon side of the gateway. By default the virtual private gateway is created with the current default Amazon ASN" + type = string + default = "64512" +} + +variable "vpn_gateway_az" { + description = "The Availability Zone for the VPN Gateway" + type = string + default = null +} + +variable "propagate_intra_route_tables_vgw" { + description = "Should be true if you want route table propagation" + type = bool + default = false +} + +variable "propagate_private_route_tables_vgw" { + description = "Should be true if you want route table propagation" + type = bool + default = false +} + +variable "propagate_public_route_tables_vgw" { + description = "Should be true if you want route table propagation" + type = bool + default = false +} + +variable "vpn_gateway_tags" { + description = "Additional tags for the VPN gateway" + type = map(string) + default = {} +} + +################################################################################ +# Default VPC +################################################################################ + +variable "manage_default_vpc" { + description = "Should be true to adopt and manage Default VPC" + type = bool + default = false +} + +variable "default_vpc_name" { + description = "Name to be used on the Default VPC" + type = string + default = null +} + +variable "default_vpc_enable_dns_support" { + description = "Should be true to enable DNS support in the Default VPC" + type = bool + default = true +} + +variable "default_vpc_enable_dns_hostnames" { + description = "Should be true to enable DNS hostnames in the Default VPC" + type = bool + default = true +} + +variable "default_vpc_tags" { + description = "Additional tags for the Default VPC" + type = map(string) + default = {} +} + +variable "manage_default_security_group" { + description = "Should be true to adopt and manage default security group" + type = bool + default = true +} + +variable "default_security_group_name" { + description = "Name to be used on the default security group" + type = string + default = null +} + +variable "default_security_group_ingress" { + description = "List of maps of ingress rules to set on the default security group" + type = list(map(string)) + default = [] +} + +variable "default_security_group_egress" { + description = "List of maps of egress rules to set on the default security group" + type = list(map(string)) + default = [] +} + +variable "default_security_group_tags" { + description = "Additional tags for the default security group" + type = map(string) + default = {} +} + +################################################################################ +# Default Network ACLs +################################################################################ + +variable "manage_default_network_acl" { + description = "Should be true to adopt and manage Default Network ACL" + type = bool + default = true +} + +variable "default_network_acl_name" { + description = "Name to be used on the Default Network ACL" + type = string + default = null +} + +variable "default_network_acl_ingress" { + description = "List of maps of ingress rules to set on the Default Network ACL" + type = list(map(string)) + default = [ + { + rule_no = 100 + action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + { + rule_no = 101 + action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + ipv6_cidr_block = "::/0" + }, + ] +} + +variable "default_network_acl_egress" { + description = "List of maps of egress rules to set on the Default Network ACL" + type = list(map(string)) + default = [ + { + rule_no = 100 + action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + { + rule_no = 101 + action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + ipv6_cidr_block = "::/0" + }, + ] +} + +variable "default_network_acl_tags" { + description = "Additional tags for the Default Network ACL" + type = map(string) + default = {} +} + +################################################################################ +# Default Route +################################################################################ + +variable "manage_default_route_table" { + description = "Should be true to manage default route table" + type = bool + default = true +} + +variable "default_route_table_name" { + description = "Name to be used on the default route table" + type = string + default = null +} + +variable "default_route_table_propagating_vgws" { + description = "List of virtual gateways for propagation" + type = list(string) + default = [] +} + +variable "default_route_table_routes" { + description = "Configuration block of routes. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_route_table#route" + type = list(map(string)) + default = [] +} + +variable "default_route_table_tags" { + description = "Additional tags for the default route table" + type = map(string) + default = {} +} + +################################################################################ +# Flow Log +################################################################################ + +variable "enable_flow_log" { + description = "Whether or not to enable VPC Flow Logs" + type = bool + default = false +} + +variable "vpc_flow_log_permissions_boundary" { + description = "The ARN of the Permissions Boundary for the VPC Flow Log IAM Role" + type = string + default = null +} + +variable "flow_log_max_aggregation_interval" { + description = "The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values: `60` seconds or `600` seconds" + type = number + default = 600 +} + +variable "flow_log_traffic_type" { + description = "The type of traffic to capture. Valid values: ACCEPT, REJECT, ALL" + type = string + default = "ALL" +} + +variable "flow_log_destination_type" { + description = "Type of flow log destination. Can be s3, kinesis-data-firehose or cloud-watch-logs" + type = string + default = "cloud-watch-logs" +} + +variable "flow_log_log_format" { + description = "The fields to include in the flow log record, in the order in which they should appear" + type = string + default = null +} + +variable "flow_log_destination_arn" { + description = "The ARN of the CloudWatch log group or S3 bucket where VPC Flow Logs will be pushed. If this ARN is a S3 bucket the appropriate permissions need to be set on that bucket's policy. When create_flow_log_cloudwatch_log_group is set to false this argument must be provided" + type = string + default = "" +} + +variable "flow_log_deliver_cross_account_role" { + description = "(Optional) ARN of the IAM role that allows Amazon EC2 to publish flow logs across accounts." + type = string + default = null +} + +variable "flow_log_file_format" { + description = "(Optional) The format for the flow log. Valid values: `plain-text`, `parquet`" + type = string + default = null +} + +variable "flow_log_hive_compatible_partitions" { + description = "(Optional) Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3" + type = bool + default = false +} + +variable "flow_log_per_hour_partition" { + description = "(Optional) Indicates whether to partition the flow log per hour. This reduces the cost and response time for queries" + type = bool + default = false +} + +variable "vpc_flow_log_tags" { + description = "Additional tags for the VPC Flow Logs" + type = map(string) + default = {} +} + +################################################################################ +# Flow Log CloudWatch +################################################################################ + +variable "create_flow_log_cloudwatch_log_group" { + description = "Whether to create CloudWatch log group for VPC Flow Logs" + type = bool + default = false +} + +variable "create_flow_log_cloudwatch_iam_role" { + description = "Whether to create IAM role for VPC Flow Logs" + type = bool + default = false +} + +variable "flow_log_cloudwatch_iam_role_arn" { + description = "The ARN for the IAM role that's used to post flow logs to a CloudWatch Logs log group. When flow_log_destination_arn is set to ARN of Cloudwatch Logs, this argument needs to be provided" + type = string + default = "" +} + +variable "flow_log_cloudwatch_log_group_name_prefix" { + description = "Specifies the name prefix of CloudWatch Log Group for VPC flow logs" + type = string + default = "/aws/vpc-flow-log/" +} + +variable "flow_log_cloudwatch_log_group_name_suffix" { + description = "Specifies the name suffix of CloudWatch Log Group for VPC flow logs" + type = string + default = "" +} + +variable "flow_log_cloudwatch_log_group_retention_in_days" { + description = "Specifies the number of days you want to retain log events in the specified log group for VPC flow logs" + type = number + default = null +} + +variable "flow_log_cloudwatch_log_group_kms_key_id" { + description = "The ARN of the KMS Key to use when encrypting log data for VPC flow logs" + type = string + default = null +} + +variable "flow_log_cloudwatch_log_group_skip_destroy" { + description = " Set to true if you do not wish the log group (and any logs it may contain) to be deleted at destroy time, and instead just remove the log group from the Terraform state" + type = bool + default = false +} + +variable "flow_log_cloudwatch_log_group_class" { + description = "Specified the log class of the log group. Possible values are: STANDARD or INFREQUENT_ACCESS" + type = string + default = null +} + +variable "putin_khuylo" { + description = "Do you agree that Putin doesn't respect Ukrainian sovereignty and territorial integrity? More info: https://en.wikipedia.org/wiki/Putin_khuylo!" + type = bool + default = true +} diff --git a/test/init_tf_module_sources_test.go b/test/init_tf_module_sources_test.go index 5f6935d..cd19df5 100644 --- a/test/init_tf_module_sources_test.go +++ b/test/init_tf_module_sources_test.go @@ -1,123 +1,58 @@ package integration_test import ( - "fmt" "os" - "os/exec" "path/filepath" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" "github.com/onsi/gomega/gbytes" "github.com/onsi/gomega/gexec" + "github.com/syntasso/kratix-cli/internal" "sigs.k8s.io/yaml" ) type moduleTestCase struct { - name string - moduleSource string - moduleRegistryVer string - expectRegistryEnv bool - expectedProperties []string - expectFailure bool - skip bool + name string + moduleSource string + moduleRegistryVer string + expectRegistryEnv bool + expectedTypesFile string } var _ = Describe("InitTerraformPromise source integration", func() { - if _, err := exec.LookPath("terraform"); err != nil { - Skip("terraform binary not found in PATH; skipping module source integration tests") - } - cwd, err := os.Getwd() Expect(err).NotTo(HaveOccurred()) - localModulePath := filepath.Join(cwd, "assets", "terraform", "modules", "local", "basic") - - cases := []moduleTestCase{ - { - name: "open source git repo with ref", - moduleSource: "git::https://github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v5.7.0", - expectedProperties: []string{"name", "cidr"}, - }, - { - name: "private git repo placeholder", - moduleSource: "git::ssh://git@github.com/example/private-repo.git?ref=v0.1.0", - expectedProperties: []string{}, - expectFailure: true, - skip: true, // enable once credentials/repo exist - }, - { - name: "registry with version", - moduleSource: "terraform-aws-modules/s3-bucket/aws", - moduleRegistryVer: "4.1.2", - expectRegistryEnv: true, - expectedProperties: []string{"bucket"}, - }, - { - name: "nested registry module path with version", - moduleSource: "terraform-aws-modules/vpc/aws//modules/vpc-endpoints", - moduleRegistryVer: "5.7.0", - expectRegistryEnv: true, - expectedProperties: []string{"vpc_id"}, - }, - { - name: "registry without version", - moduleSource: "terraform-aws-modules/vpc/aws", - expectedProperties: []string{"name", "cidr"}, - }, - { - name: "local filesystem module", - moduleSource: localModulePath, - expectedProperties: []string{"name", "size", "tags"}, - }, - } - - var ( - r *runner - workingDir string - flags map[string]string - ) - - BeforeEach(func() { - var err error - workingDir, err = os.MkdirTemp("", "kratix-test-sources") - Expect(err).NotTo(HaveOccurred()) - r = &runner{exitCode: 0, Path: os.Getenv("PATH")} - flags = map[string]string{ - "--group": "example.com", - "--kind": "Example", - "--version": "v1alpha1", - "--dir": workingDir, - "--split": "", - } - }) - - AfterEach(func() { - Expect(os.RemoveAll(workingDir)).To(Succeed()) - }) - - for _, tc := range cases { - tc := tc - It(fmt.Sprintf("handles %s", tc.name), func() { - if tc.skip { - Skip("pending setup for private repo") + localModulePath := filepath.Join(cwd, "assets", "terraform", "modules", "local", "basic") + vpcFixture := filepath.Join(cwd, "assets", "terraform", "vars", "vpc-variables.tf") + s3Fixture := filepath.Join(cwd, "assets", "terraform", "vars", "registry-variables.tf") + nestedFixture := filepath.Join(cwd, "assets", "terraform", "vars", "nested-registry-variables.tf") + + DescribeTable("generates promise schema and workflow envs", + func(tc moduleTestCase) { + workingDir, err := os.MkdirTemp("", "kratix-test-sources") + Expect(err).NotTo(HaveOccurred()) + defer os.RemoveAll(workingDir) + + r := &runner{ + exitCode: 0, + Path: os.Getenv("PATH"), + flags: map[string]string{ + "--group": "example.com", + "--kind": "Example", + "--version": "v1alpha1", + "--dir": workingDir, + "--split": "", + }, } - flags["--module-source"] = tc.moduleSource + r.flags["--module-source"] = tc.moduleSource if tc.moduleRegistryVer != "" { - flags["--module-registry-version"] = tc.moduleRegistryVer - } else { - delete(flags, "--module-registry-version") - } - r.flags = flags - runnerArgs := []string{"init", "tf-module-promise", "example"} - - session := r.run(runnerArgs...) - if tc.expectFailure { - Expect(session.ExitCode()).NotTo(Equal(0)) - return + r.flags["--module-registry-version"] = tc.moduleRegistryVer } + session := r.run("init", "tf-module-promise", "example") Expect(session).To(gexec.Exit(0)) Expect(session.Out).To(gbytes.Say("Promise generated successfully")) @@ -129,12 +64,57 @@ var _ = Describe("InitTerraformPromise source integration", func() { Expect(envs).NotTo(HaveKey("MODULE_REGISTRY_VERSION")) } - specProps := readSpecProperties(workingDir) - for _, prop := range tc.expectedProperties { - Expect(specProps).To(HaveKey(prop)) - } - }) - } + actual := readSpecTypes(workingDir) + expected := expectedTypesFromFixture(tc.expectedTypesFile) + Expect(actual).To(Equal(expected)) + }, + Entry("open source git repo with ref", + moduleTestCase{ + name: "git vpc", + moduleSource: "git::https://github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v5.7.0", + expectedTypesFile: vpcFixture, + }, + ), + Entry("git repo subdir (mono-repo style)", + moduleTestCase{ + name: "git subdir", + moduleSource: "git::https://github.com/terraform-aws-modules/terraform-aws-vpc.git//modules/vpc-endpoints?ref=v5.7.0", + expectedTypesFile: nestedFixture, + }, + ), + Entry("registry with version", + moduleTestCase{ + name: "registry s3 bucket", + moduleSource: "terraform-aws-modules/s3-bucket/aws", + moduleRegistryVer: "4.1.2", + expectRegistryEnv: true, + expectedTypesFile: s3Fixture, + }, + ), + Entry("nested registry with version", + moduleTestCase{ + name: "nested registry vpc endpoints", + moduleSource: "terraform-aws-modules/vpc/aws//modules/vpc-endpoints", + moduleRegistryVer: "5.7.0", + expectRegistryEnv: true, + expectedTypesFile: nestedFixture, + }, + ), + Entry("registry without version", + moduleTestCase{ + name: "registry without version", + moduleSource: "terraform-aws-modules/vpc/aws", + expectedTypesFile: vpcFixture, + }, + ), + Entry("local filesystem module", + moduleTestCase{ + name: "local module", + moduleSource: localModulePath, + expectedTypesFile: filepath.Join(localModulePath, "variables.tf"), + }, + ), + ) }) func readWorkflowEnvs(workingDir string) map[string]string { @@ -167,11 +147,10 @@ func readWorkflowEnvs(workingDir string) map[string]string { return envs } -func readSpecProperties(workingDir string) map[string]any { +func readSpecTypes(workingDir string) map[string]string { apiPath := filepath.Join(workingDir, "api.yaml") contents, err := os.ReadFile(apiPath) if err != nil { - // fallback to promise.yaml when split not used contents, err = os.ReadFile(filepath.Join(workingDir, "promise.yaml")) Expect(err).NotTo(HaveOccurred()) } @@ -179,7 +158,6 @@ func readSpecProperties(workingDir string) map[string]any { var doc map[string]any Expect(yaml.Unmarshal(contents, &doc)).To(Succeed()) - // If promise.yaml, drill into spec.api if kind, _ := doc["kind"].(string); kind == "Promise" { spec, _ := doc["spec"].(map[string]any) api, _ := spec["api"].(map[string]any) @@ -196,5 +174,26 @@ func readSpecProperties(workingDir string) map[string]any { specProps, _ := properties["spec"].(map[string]any) propMap, _ := specProps["properties"].(map[string]any) Expect(propMap).ToNot(BeNil()) - return propMap + + result := map[string]string{} + for name, raw := range propMap { + rawMap, _ := raw.(map[string]any) + typ, _ := rawMap["type"].(string) + result[name] = typ + } + + return result +} + +func expectedTypesFromFixture(fixturePath string) map[string]string { + vars, err := internal.GetVariablesFromModule(fixturePath, "") + Expect(err).NotTo(HaveOccurred()) + schema, warnings := internal.VariablesToCRDSpecSchema(vars) + Expect(warnings).To(BeEmpty()) + + result := map[string]string{} + for name, prop := range schema.Properties { + result[name] = prop.Type + } + return result } diff --git a/variables.tf b/variables.tf new file mode 100644 index 0000000..7a38762 --- /dev/null +++ b/variables.tf @@ -0,0 +1,1597 @@ +condary CIDR blocks to associate with the VPC to extend the IP Address pool" + type = list(string) + default = [] +} + +variable "instance_tenancy" { + description = "A tenancy option for instances launched into the VPC" + type = string + default = "default" +} + +variable "azs" { + description = "A list of availability zones names or ids in the region" + type = list(string) + default = [] +} + +variable "enable_dns_hostnames" { + description = "Should be true to enable DNS hostnames in the VPC" + type = bool + default = true +} + +variable "enable_dns_support" { + description = "Should be true to enable DNS support in the VPC" + type = bool + default = true +} + +variable "enable_network_address_usage_metrics" { + des################################################################################ +# VPC +################################################################################ + +variable "create_vpc" { + description = "Controls if VPC should be created (it affects almost all resources)" + type = bool + default = true +} + +variable "name" { + description = "Name to be used on all the resources as identifier" + type = string + default = "" +} + +variable "cidr" { + description = "(Optional) The IPv4 CIDR block for the VPC. CIDR can be explicitly set or it can be derived from IPAM using `ipv4_netmask_length` & `ipv4_ipam_pool_id`" + type = string + default = "10.0.0.0/16" +} + +variable "secondary_cidr_blocks" { + description = "List of secription = "Determines whether network address usage metrics are enabled for the VPC" + type = bool + default = null +} + +variable "use_ipam_pool" { + description = "Determines whether IPAM pool is used for CIDR allocation" + type = bool + default = false +} + +variable "ipv4_ipam_pool_id" { + description = "(Optional) The ID of an IPv4 IPAM pool you want to use for allocating this VPC's CIDR" + type = string + default = null +} + +variable "ipv4_netmask_length" { + description = "(Optional) The netmask length of the IPv4 CIDR you want to allocate to this VPC. Requires specifying a ipv4_ipam_pool_id" + type = number + default = null +} + +variable "enable_ipv6" { + description = "Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block" + type = bool + default = false +} + +variable "ipv6_cidr" { + description = "(Optional) IPv6 CIDR block to request from an IPAM Pool. Can be set explicitly or derived from IPAM using `ipv6_netmask_length`" + type = string + default = null +} + +variable "ipv6_ipam_pool_id" { + description = "(Optional) IPAM Pool ID for a IPv6 pool. Conflicts with `assign_generated_ipv6_cidr_block`" + type = string + default = null +} + +variable "ipv6_netmask_length" { + description = "(Optional) Netmask length to request from IPAM Pool. Conflicts with `ipv6_cidr_block`. This can be omitted if IPAM pool as a `allocation_default_netmask_length` set. Valid values: `56`" + type = number + default = null +} + +variable "ipv6_cidr_block_network_border_group" { + description = "By default when an IPv6 CIDR is assigned to a VPC a default ipv6_cidr_block_network_border_group will be set to the region of the VPC. This can be changed to restrict advertisement of public addresses to specific Network Border Groups such as LocalZones" + type = string + default = null +} + +variable "vpc_tags" { + description = "Additional tags for the VPC" + type = map(string) + default = {} +} + +variable "tags" { + description = "A map of tags to add to all resources" + type = map(string) + default = {} +} + +################################################################################ +# DHCP Options Set +################################################################################ + +variable "enable_dhcp_options" { + description = "Should be true if you want to specify a DHCP options set with a custom domain name, DNS servers, NTP servers, netbios servers, and/or netbios server type" + type = bool + default = false +} + +variable "dhcp_options_domain_name" { + description = "Specifies DNS name for DHCP options set (requires enable_dhcp_options set to true)" + type = string + default = "" +} + +variable "dhcp_options_domain_name_servers" { + description = "Specify a list of DNS server addresses for DHCP options set, default to AWS provided (requires enable_dhcp_options set to true)" + type = list(string) + default = ["AmazonProvidedDNS"] +} + +variable "dhcp_options_ntp_servers" { + description = "Specify a list of NTP servers for DHCP options set (requires enable_dhcp_options set to true)" + type = list(string) + default = [] +} + +variable "dhcp_options_netbios_name_servers" { + description = "Specify a list of netbios servers for DHCP options set (requires enable_dhcp_options set to true)" + type = list(string) + default = [] +} + +variable "dhcp_options_netbios_node_type" { + description = "Specify netbios node_type for DHCP options set (requires enable_dhcp_options set to true)" + type = string + default = "" +} + +variable "dhcp_options_tags" { + description = "Additional tags for the DHCP option set (requires enable_dhcp_options set to true)" + type = map(string) + default = {} +} + +################################################################################ +# Publiс Subnets +################################################################################ + +variable "public_subnets" { + description = "A list of public subnets inside the VPC" + type = list(string) + default = [] +} + +variable "public_subnet_assign_ipv6_address_on_creation" { + description = "Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false`" + type = bool + default = false +} + +variable "public_subnet_enable_dns64" { + description = "Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true`" + type = bool + default = true +} + +variable "public_subnet_enable_resource_name_dns_aaaa_record_on_launch" { + description = "Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true`" + type = bool + default = true +} + +variable "public_subnet_enable_resource_name_dns_a_record_on_launch" { + description = "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false`" + type = bool + default = false +} + +variable "public_subnet_ipv6_prefixes" { + description = "Assigns IPv6 public subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list" + type = list(string) + default = [] +} + +variable "public_subnet_ipv6_native" { + description = "Indicates whether to create an IPv6-only subnet. Default: `false`" + type = bool + default = false +} + +variable "map_public_ip_on_launch" { + description = "Specify true to indicate that instances launched into the subnet should be assigned a public IP address. Default is `false`" + type = bool + default = false +} + +variable "public_subnet_private_dns_hostname_type_on_launch" { + description = "The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name`" + type = string + default = null +} + +variable "public_subnet_names" { + description = "Explicit values to use in the Name tag on public subnets. If empty, Name tags are generated" + type = list(string) + default = [] +} + +variable "public_subnet_suffix" { + description = "Suffix to append to public subnets name" + type = string + default = "public" +} + +variable "public_subnet_tags" { + description = "Additional tags for the public subnets" + type = map(string) + default = {} +} + +variable "public_subnet_tags_per_az" { + description = "Additional tags for the public subnets where the primary key is the AZ" + type = map(map(string)) + default = {} +} + +variable "public_route_table_tags" { + description = "Additional tags for the public route tables" + type = map(string) + default = {} +} + +################################################################################ +# Public Network ACLs +################################################################################ + +variable "public_dedicated_network_acl" { + description = "Whether to use dedicated network ACL (not default) and custom rules for public subnets" + type = bool + default = false +} + +variable "public_inbound_acl_rules" { + description = "Public subnets inbound network ACLs" + type = list(map(string)) + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] +} + +variable "public_outbound_acl_rules" { + description = "Public subnets outbound network ACLs" + type = list(map(string)) + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] +} + +variable "public_acl_tags" { + description = "Additional tags for the public subnets network ACL" + type = map(string) + default = {} +} + +################################################################################ +# Private Subnets +################################################################################ + +variable "private_subnets" { + description = "A list of private subnets inside the VPC" + type = list(string) + default = [] +} + +variable "private_subnet_assign_ipv6_address_on_creation" { + description = "Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false`" + type = bool + default = false +} + +variable "private_subnet_enable_dns64" { + description = "Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true`" + type = bool + default = true +} + +variable "private_subnet_enable_resource_name_dns_aaaa_record_on_launch" { + description = "Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true`" + type = bool + default = true +} + +variable "private_subnet_enable_resource_name_dns_a_record_on_launch" { + description = "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false`" + type = bool + default = false +} + +variable "private_subnet_ipv6_prefixes" { + description = "Assigns IPv6 private subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list" + type = list(string) + default = [] +} + +variable "private_subnet_ipv6_native" { + description = "Indicates whether to create an IPv6-only subnet. Default: `false`" + type = bool + default = false +} + +variable "private_subnet_private_dns_hostname_type_on_launch" { + description = "The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name`" + type = string + default = null +} + +variable "private_subnet_names" { + description = "Explicit values to use in the Name tag on private subnets. If empty, Name tags are generated" + type = list(string) + default = [] +} + +variable "private_subnet_suffix" { + description = "Suffix to append to private subnets name" + type = string + default = "private" +} + +variable "private_subnet_tags" { + description = "Additional tags for the private subnets" + type = map(string) + default = {} +} + +variable "private_subnet_tags_per_az" { + description = "Additional tags for the private subnets where the primary key is the AZ" + type = map(map(string)) + default = {} +} + +variable "private_route_table_tags" { + description = "Additional tags for the private route tables" + type = map(string) + default = {} +} + +################################################################################ +# Private Network ACLs +################################################################################ + +variable "private_dedicated_network_acl" { + description = "Whether to use dedicated network ACL (not default) and custom rules for private subnets" + type = bool + default = false +} + +variable "private_inbound_acl_rules" { + description = "Private subnets inbound network ACLs" + type = list(map(string)) + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] +} + +variable "private_outbound_acl_rules" { + description = "Private subnets outbound network ACLs" + type = list(map(string)) + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] +} + +variable "private_acl_tags" { + description = "Additional tags for the private subnets network ACL" + type = map(string) + default = {} +} + +################################################################################ +# Database Subnets +################################################################################ + +variable "database_subnets" { + description = "A list of database subnets inside the VPC" + type = list(string) + default = [] +} + +variable "database_subnet_assign_ipv6_address_on_creation" { + description = "Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false`" + type = bool + default = false +} + +variable "database_subnet_enable_dns64" { + description = "Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true`" + type = bool + default = true +} + +variable "database_subnet_enable_resource_name_dns_aaaa_record_on_launch" { + description = "Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true`" + type = bool + default = true +} + +variable "database_subnet_enable_resource_name_dns_a_record_on_launch" { + description = "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false`" + type = bool + default = false +} + +variable "database_subnet_ipv6_prefixes" { + description = "Assigns IPv6 database subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list" + type = list(string) + default = [] +} + +variable "database_subnet_ipv6_native" { + description = "Indicates whether to create an IPv6-only subnet. Default: `false`" + type = bool + default = false +} + +variable "database_subnet_private_dns_hostname_type_on_launch" { + description = "The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name`" + type = string + default = null +} + +variable "database_subnet_names" { + description = "Explicit values to use in the Name tag on database subnets. If empty, Name tags are generated" + type = list(string) + default = [] +} + +variable "database_subnet_suffix" { + description = "Suffix to append to database subnets name" + type = string + default = "db" +} + +variable "create_database_subnet_route_table" { + description = "Controls if separate route table for database should be created" + type = bool + default = false +} + +variable "create_database_internet_gateway_route" { + description = "Controls if an internet gateway route for public database access should be created" + type = bool + default = false +} + +variable "create_database_nat_gateway_route" { + description = "Controls if a nat gateway route should be created to give internet access to the database subnets" + type = bool + default = false +} + +variable "database_route_table_tags" { + description = "Additional tags for the database route tables" + type = map(string) + default = {} +} + +variable "database_subnet_tags" { + description = "Additional tags for the database subnets" + type = map(string) + default = {} +} + +variable "create_database_subnet_group" { + description = "Controls if database subnet group should be created (n.b. database_subnets must also be set)" + type = bool + default = true +} + +variable "database_subnet_group_name" { + description = "Name of database subnet group" + type = string + default = null +} + +variable "database_subnet_group_tags" { + description = "Additional tags for the database subnet group" + type = map(string) + default = {} +} + +################################################################################ +# Database Network ACLs +################################################################################ + +variable "database_dedicated_network_acl" { + description = "Whether to use dedicated network ACL (not default) and custom rules for database subnets" + type = bool + default = false +} + +variable "database_inbound_acl_rules" { + description = "Database subnets inbound network ACL rules" + type = list(map(string)) + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] +} + +variable "database_outbound_acl_rules" { + description = "Database subnets outbound network ACL rules" + type = list(map(string)) + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] +} + +variable "database_acl_tags" { + description = "Additional tags for the database subnets network ACL" + type = map(string) + default = {} +} + +################################################################################ +# Redshift Subnets +################################################################################ + +variable "redshift_subnets" { + description = "A list of redshift subnets inside the VPC" + type = list(string) + default = [] +} + +variable "redshift_subnet_assign_ipv6_address_on_creation" { + description = "Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false`" + type = bool + default = false +} + +variable "redshift_subnet_enable_dns64" { + description = "Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true`" + type = bool + default = true +} + +variable "redshift_subnet_enable_resource_name_dns_aaaa_record_on_launch" { + description = "Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true`" + type = bool + default = true +} + +variable "redshift_subnet_enable_resource_name_dns_a_record_on_launch" { + description = "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false`" + type = bool + default = false +} + +variable "redshift_subnet_ipv6_prefixes" { + description = "Assigns IPv6 redshift subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list" + type = list(string) + default = [] +} + +variable "redshift_subnet_ipv6_native" { + description = "Indicates whether to create an IPv6-only subnet. Default: `false`" + type = bool + default = false +} + +variable "redshift_subnet_private_dns_hostname_type_on_launch" { + description = "The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name`" + type = string + default = null +} + +variable "redshift_subnet_names" { + description = "Explicit values to use in the Name tag on redshift subnets. If empty, Name tags are generated" + type = list(string) + default = [] +} + +variable "redshift_subnet_suffix" { + description = "Suffix to append to redshift subnets name" + type = string + default = "redshift" +} + +variable "enable_public_redshift" { + description = "Controls if redshift should have public routing table" + type = bool + default = false +} + +variable "create_redshift_subnet_route_table" { + description = "Controls if separate route table for redshift should be created" + type = bool + default = false +} + +variable "redshift_route_table_tags" { + description = "Additional tags for the redshift route tables" + type = map(string) + default = {} +} + +variable "redshift_subnet_tags" { + description = "Additional tags for the redshift subnets" + type = map(string) + default = {} +} + +variable "create_redshift_subnet_group" { + description = "Controls if redshift subnet group should be created" + type = bool + default = true +} + +variable "redshift_subnet_group_name" { + description = "Name of redshift subnet group" + type = string + default = null +} + +variable "redshift_subnet_group_tags" { + description = "Additional tags for the redshift subnet group" + type = map(string) + default = {} +} + +################################################################################ +# Redshift Network ACLs +################################################################################ + +variable "redshift_dedicated_network_acl" { + description = "Whether to use dedicated network ACL (not default) and custom rules for redshift subnets" + type = bool + default = false +} + +variable "redshift_inbound_acl_rules" { + description = "Redshift subnets inbound network ACL rules" + type = list(map(string)) + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] +} + +variable "redshift_outbound_acl_rules" { + description = "Redshift subnets outbound network ACL rules" + type = list(map(string)) + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] +} + +variable "redshift_acl_tags" { + description = "Additional tags for the redshift subnets network ACL" + type = map(string) + default = {} +} + +################################################################################ +# Elasticache Subnets +################################################################################ + +variable "elasticache_subnets" { + description = "A list of elasticache subnets inside the VPC" + type = list(string) + default = [] +} + +variable "elasticache_subnet_assign_ipv6_address_on_creation" { + description = "Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false`" + type = bool + default = false +} + +variable "elasticache_subnet_enable_dns64" { + description = "Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true`" + type = bool + default = true +} + +variable "elasticache_subnet_enable_resource_name_dns_aaaa_record_on_launch" { + description = "Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true`" + type = bool + default = true +} + +variable "elasticache_subnet_enable_resource_name_dns_a_record_on_launch" { + description = "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false`" + type = bool + default = false +} + +variable "elasticache_subnet_ipv6_prefixes" { + description = "Assigns IPv6 elasticache subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list" + type = list(string) + default = [] +} + +variable "elasticache_subnet_ipv6_native" { + description = "Indicates whether to create an IPv6-only subnet. Default: `false`" + type = bool + default = false +} + +variable "elasticache_subnet_private_dns_hostname_type_on_launch" { + description = "The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name`" + type = string + default = null +} + +variable "elasticache_subnet_names" { + description = "Explicit values to use in the Name tag on elasticache subnets. If empty, Name tags are generated" + type = list(string) + default = [] +} + +variable "elasticache_subnet_suffix" { + description = "Suffix to append to elasticache subnets name" + type = string + default = "elasticache" +} + +variable "elasticache_subnet_tags" { + description = "Additional tags for the elasticache subnets" + type = map(string) + default = {} +} + +variable "create_elasticache_subnet_route_table" { + description = "Controls if separate route table for elasticache should be created" + type = bool + default = false +} + +variable "elasticache_route_table_tags" { + description = "Additional tags for the elasticache route tables" + type = map(string) + default = {} +} + +variable "create_elasticache_subnet_group" { + description = "Controls if elasticache subnet group should be created" + type = bool + default = true +} + +variable "elasticache_subnet_group_name" { + description = "Name of elasticache subnet group" + type = string + default = null +} + +variable "elasticache_subnet_group_tags" { + description = "Additional tags for the elasticache subnet group" + type = map(string) + default = {} +} + +################################################################################ +# Elasticache Network ACLs +################################################################################ + +variable "elasticache_dedicated_network_acl" { + description = "Whether to use dedicated network ACL (not default) and custom rules for elasticache subnets" + type = bool + default = false +} + +variable "elasticache_inbound_acl_rules" { + description = "Elasticache subnets inbound network ACL rules" + type = list(map(string)) + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] +} + +variable "elasticache_outbound_acl_rules" { + description = "Elasticache subnets outbound network ACL rules" + type = list(map(string)) + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] +} + +variable "elasticache_acl_tags" { + description = "Additional tags for the elasticache subnets network ACL" + type = map(string) + default = {} +} + +################################################################################ +# Intra Subnets +################################################################################ + +variable "intra_subnets" { + description = "A list of intra subnets inside the VPC" + type = list(string) + default = [] +} + +variable "intra_subnet_assign_ipv6_address_on_creation" { + description = "Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false`" + type = bool + default = false +} + +variable "intra_subnet_enable_dns64" { + description = "Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true`" + type = bool + default = true +} + +variable "intra_subnet_enable_resource_name_dns_aaaa_record_on_launch" { + description = "Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true`" + type = bool + default = true +} + +variable "intra_subnet_enable_resource_name_dns_a_record_on_launch" { + description = "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false`" + type = bool + default = false +} + +variable "intra_subnet_ipv6_prefixes" { + description = "Assigns IPv6 intra subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list" + type = list(string) + default = [] +} + +variable "intra_subnet_ipv6_native" { + description = "Indicates whether to create an IPv6-only subnet. Default: `false`" + type = bool + default = false +} + +variable "intra_subnet_private_dns_hostname_type_on_launch" { + description = "The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name`" + type = string + default = null +} + +variable "intra_subnet_names" { + description = "Explicit values to use in the Name tag on intra subnets. If empty, Name tags are generated" + type = list(string) + default = [] +} + +variable "intra_subnet_suffix" { + description = "Suffix to append to intra subnets name" + type = string + default = "intra" +} + +variable "intra_subnet_tags" { + description = "Additional tags for the intra subnets" + type = map(string) + default = {} +} + +variable "intra_route_table_tags" { + description = "Additional tags for the intra route tables" + type = map(string) + default = {} +} + +################################################################################ +# Intra Network ACLs +################################################################################ + +variable "intra_dedicated_network_acl" { + description = "Whether to use dedicated network ACL (not default) and custom rules for intra subnets" + type = bool + default = false +} + +variable "intra_inbound_acl_rules" { + description = "Intra subnets inbound network ACLs" + type = list(map(string)) + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] +} + +variable "intra_outbound_acl_rules" { + description = "Intra subnets outbound network ACLs" + type = list(map(string)) + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] +} + +variable "intra_acl_tags" { + description = "Additional tags for the intra subnets network ACL" + type = map(string) + default = {} +} + +################################################################################ +# Outpost Subnets +################################################################################ + +variable "outpost_subnets" { + description = "A list of outpost subnets inside the VPC" + type = list(string) + default = [] +} + +variable "outpost_subnet_assign_ipv6_address_on_creation" { + description = "Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false`" + type = bool + default = false +} + +variable "outpost_az" { + description = "AZ where Outpost is anchored" + type = string + default = null +} + +variable "customer_owned_ipv4_pool" { + description = "The customer owned IPv4 address pool. Typically used with the `map_customer_owned_ip_on_launch` argument. The `outpost_arn` argument must be specified when configured" + type = string + default = null +} + +variable "outpost_subnet_enable_dns64" { + description = "Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true`" + type = bool + default = true +} + +variable "outpost_subnet_enable_resource_name_dns_aaaa_record_on_launch" { + description = "Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true`" + type = bool + default = true +} + +variable "outpost_subnet_enable_resource_name_dns_a_record_on_launch" { + description = "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false`" + type = bool + default = false +} + +variable "outpost_subnet_ipv6_prefixes" { + description = "Assigns IPv6 outpost subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list" + type = list(string) + default = [] +} + +variable "outpost_subnet_ipv6_native" { + description = "Indicates whether to create an IPv6-only subnet. Default: `false`" + type = bool + default = false +} + +variable "map_customer_owned_ip_on_launch" { + description = "Specify true to indicate that network interfaces created in the subnet should be assigned a customer owned IP address. The `customer_owned_ipv4_pool` and `outpost_arn` arguments must be specified when set to `true`. Default is `false`" + type = bool + default = false +} + +variable "outpost_arn" { + description = "ARN of Outpost you want to create a subnet in" + type = string + default = null +} + +variable "outpost_subnet_private_dns_hostname_type_on_launch" { + description = "The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name`" + type = string + default = null +} + +variable "outpost_subnet_names" { + description = "Explicit values to use in the Name tag on outpost subnets. If empty, Name tags are generated" + type = list(string) + default = [] +} + +variable "outpost_subnet_suffix" { + description = "Suffix to append to outpost subnets name" + type = string + default = "outpost" +} + +variable "outpost_subnet_tags" { + description = "Additional tags for the outpost subnets" + type = map(string) + default = {} +} + +################################################################################ +# Outpost Network ACLs +################################################################################ + +variable "outpost_dedicated_network_acl" { + description = "Whether to use dedicated network ACL (not default) and custom rules for outpost subnets" + type = bool + default = false +} + +variable "outpost_inbound_acl_rules" { + description = "Outpost subnets inbound network ACLs" + type = list(map(string)) + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] +} + +variable "outpost_outbound_acl_rules" { + description = "Outpost subnets outbound network ACLs" + type = list(map(string)) + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] +} + +variable "outpost_acl_tags" { + description = "Additional tags for the outpost subnets network ACL" + type = map(string) + default = {} +} + +################################################################################ +# Internet Gateway +################################################################################ + +variable "create_igw" { + description = "Controls if an Internet Gateway is created for public subnets and the related routes that connect them" + type = bool + default = true +} + +variable "create_egress_only_igw" { + description = "Controls if an Egress Only Internet Gateway is created and its related routes" + type = bool + default = true +} + +variable "igw_tags" { + description = "Additional tags for the internet gateway" + type = map(string) + default = {} +} + +################################################################################ +# NAT Gateway +################################################################################ + +variable "enable_nat_gateway" { + description = "Should be true if you want to provision NAT Gateways for each of your private networks" + type = bool + default = false +} + +variable "nat_gateway_destination_cidr_block" { + description = "Used to pass a custom destination route for private NAT Gateway. If not specified, the default 0.0.0.0/0 is used as a destination route" + type = string + default = "0.0.0.0/0" +} + +variable "single_nat_gateway" { + description = "Should be true if you want to provision a single shared NAT Gateway across all of your private networks" + type = bool + default = false +} + +variable "one_nat_gateway_per_az" { + description = "Should be true if you want only one NAT Gateway per availability zone. Requires `var.azs` to be set, and the number of `public_subnets` created to be greater than or equal to the number of availability zones specified in `var.azs`" + type = bool + default = false +} + +variable "reuse_nat_ips" { + description = "Should be true if you don't want EIPs to be created for your NAT Gateways and will instead pass them in via the 'external_nat_ip_ids' variable" + type = bool + default = false +} + +variable "external_nat_ip_ids" { + description = "List of EIP IDs to be assigned to the NAT Gateways (used in combination with reuse_nat_ips)" + type = list(string) + default = [] +} + +variable "external_nat_ips" { + description = "List of EIPs to be used for `nat_public_ips` output (used in combination with reuse_nat_ips and external_nat_ip_ids)" + type = list(string) + default = [] +} + +variable "nat_gateway_tags" { + description = "Additional tags for the NAT gateways" + type = map(string) + default = {} +} + +variable "nat_eip_tags" { + description = "Additional tags for the NAT EIP" + type = map(string) + default = {} +} + +################################################################################ +# Customer Gateways +################################################################################ + +variable "customer_gateways" { + description = "Maps of Customer Gateway's attributes (BGP ASN and Gateway's Internet-routable external IP address)" + type = map(map(any)) + default = {} +} + +variable "customer_gateway_tags" { + description = "Additional tags for the Customer Gateway" + type = map(string) + default = {} +} + +################################################################################ +# VPN Gateway +################################################################################ + +variable "enable_vpn_gateway" { + description = "Should be true if you want to create a new VPN Gateway resource and attach it to the VPC" + type = bool + default = false +} + +variable "vpn_gateway_id" { + description = "ID of VPN Gateway to attach to the VPC" + type = string + default = "" +} + +variable "amazon_side_asn" { + description = "The Autonomous System Number (ASN) for the Amazon side of the gateway. By default the virtual private gateway is created with the current default Amazon ASN" + type = string + default = "64512" +} + +variable "vpn_gateway_az" { + description = "The Availability Zone for the VPN Gateway" + type = string + default = null +} + +variable "propagate_intra_route_tables_vgw" { + description = "Should be true if you want route table propagation" + type = bool + default = false +} + +variable "propagate_private_route_tables_vgw" { + description = "Should be true if you want route table propagation" + type = bool + default = false +} + +variable "propagate_public_route_tables_vgw" { + description = "Should be true if you want route table propagation" + type = bool + default = false +} + +variable "vpn_gateway_tags" { + description = "Additional tags for the VPN gateway" + type = map(string) + default = {} +} + +################################################################################ +# Default VPC +################################################################################ + +variable "manage_default_vpc" { + description = "Should be true to adopt and manage Default VPC" + type = bool + default = false +} + +variable "default_vpc_name" { + description = "Name to be used on the Default VPC" + type = string + default = null +} + +variable "default_vpc_enable_dns_support" { + description = "Should be true to enable DNS support in the Default VPC" + type = bool + default = true +} + +variable "default_vpc_enable_dns_hostnames" { + description = "Should be true to enable DNS hostnames in the Default VPC" + type = bool + default = true +} + +variable "default_vpc_tags" { + description = "Additional tags for the Default VPC" + type = map(string) + default = {} +} + +variable "manage_default_security_group" { + description = "Should be true to adopt and manage default security group" + type = bool + default = true +} + +variable "default_security_group_name" { + description = "Name to be used on the default security group" + type = string + default = null +} + +variable "default_security_group_ingress" { + description = "List of maps of ingress rules to set on the default security group" + type = list(map(string)) + default = [] +} + +variable "default_security_group_egress" { + description = "List of maps of egress rules to set on the default security group" + type = list(map(string)) + default = [] +} + +variable "default_security_group_tags" { + description = "Additional tags for the default security group" + type = map(string) + default = {} +} + +################################################################################ +# Default Network ACLs +################################################################################ + +variable "manage_default_network_acl" { + description = "Should be true to adopt and manage Default Network ACL" + type = bool + default = true +} + +variable "default_network_acl_name" { + description = "Name to be used on the Default Network ACL" + type = string + default = null +} + +variable "default_network_acl_ingress" { + description = "List of maps of ingress rules to set on the Default Network ACL" + type = list(map(string)) + default = [ + { + rule_no = 100 + action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + { + rule_no = 101 + action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + ipv6_cidr_block = "::/0" + }, + ] +} + +variable "default_network_acl_egress" { + description = "List of maps of egress rules to set on the Default Network ACL" + type = list(map(string)) + default = [ + { + rule_no = 100 + action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + { + rule_no = 101 + action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + ipv6_cidr_block = "::/0" + }, + ] +} + +variable "default_network_acl_tags" { + description = "Additional tags for the Default Network ACL" + type = map(string) + default = {} +} + +################################################################################ +# Default Route +################################################################################ + +variable "manage_default_route_table" { + description = "Should be true to manage default route table" + type = bool + default = true +} + +variable "default_route_table_name" { + description = "Name to be used on the default route table" + type = string + default = null +} + +variable "default_route_table_propagating_vgws" { + description = "List of virtual gateways for propagation" + type = list(string) + default = [] +} + +variable "default_route_table_routes" { + description = "Configuration block of routes. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_route_table#route" + type = list(map(string)) + default = [] +} + +variable "default_route_table_tags" { + description = "Additional tags for the default route table" + type = map(string) + default = {} +} + +################################################################################ +# Flow Log +################################################################################ + +variable "enable_flow_log" { + description = "Whether or not to enable VPC Flow Logs" + type = bool + default = false +} + +variable "vpc_flow_log_permissions_boundary" { + description = "The ARN of the Permissions Boundary for the VPC Flow Log IAM Role" + type = string + default = null +} + +variable "flow_log_max_aggregation_interval" { + description = "The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values: `60` seconds or `600` seconds" + type = number + default = 600 +} + +variable "flow_log_traffic_type" { + description = "The type of traffic to capture. Valid values: ACCEPT, REJECT, ALL" + type = string + default = "ALL" +} + +variable "flow_log_destination_type" { + description = "Type of flow log destination. Can be s3, kinesis-data-firehose or cloud-watch-logs" + type = string + default = "cloud-watch-logs" +} + +variable "flow_log_log_format" { + description = "The fields to include in the flow log record, in the order in which they should appear" + type = string + default = null +} + +variable "flow_log_destination_arn" { + description = "The ARN of the CloudWatch log group or S3 bucket where VPC Flow Logs will be pushed. If this ARN is a S3 bucket the appropriate permissions need to be set on that bucket's policy. When create_flow_log_cloudwatch_log_group is set to false this argument must be provided" + type = string + default = "" +} + +variable "flow_log_deliver_cross_account_role" { + description = "(Optional) ARN of the IAM role that allows Amazon EC2 to publish flow logs across accounts." + type = string + default = null +} + +variable "flow_log_file_format" { + description = "(Optional) The format for the flow log. Valid values: `plain-text`, `parquet`" + type = string + default = null +} + +variable "flow_log_hive_compatible_partitions" { + description = "(Optional) Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3" + type = bool + default = false +} + +variable "flow_log_per_hour_partition" { + description = "(Optional) Indicates whether to partition the flow log per hour. This reduces the cost and response time for queries" + type = bool + default = false +} + +variable "vpc_flow_log_tags" { + description = "Additional tags for the VPC Flow Logs" + type = map(string) + default = {} +} + +################################################################################ +# Flow Log CloudWatch +################################################################################ + +variable "create_flow_log_cloudwatch_log_group" { + description = "Whether to create CloudWatch log group for VPC Flow Logs" + type = bool + default = false +} + +variable "create_flow_log_cloudwatch_iam_role" { + description = "Whether to create IAM role for VPC Flow Logs" + type = bool + default = false +} + +variable "flow_log_cloudwatch_iam_role_arn" { + description = "The ARN for the IAM role that's used to post flow logs to a CloudWatch Logs log group. When flow_log_destination_arn is set to ARN of Cloudwatch Logs, this argument needs to be provided" + type = string + default = "" +} + +variable "flow_log_cloudwatch_log_group_name_prefix" { + description = "Specifies the name prefix of CloudWatch Log Group for VPC flow logs" + type = string + default = "/aws/vpc-flow-log/" +} + +variable "flow_log_cloudwatch_log_group_name_suffix" { + description = "Specifies the name suffix of CloudWatch Log Group for VPC flow logs" + type = string + default = "" +} + +variable "flow_log_cloudwatch_log_group_retention_in_days" { + description = "Specifies the number of days you want to retain log events in the specified log group for VPC flow logs" + type = number + default = null +} + +variable "flow_log_cloudwatch_log_group_kms_key_id" { + description = "The ARN of the KMS Key to use when encrypting log data for VPC flow logs" + type = string + default = null +} + +variable "flow_log_cloudwatch_log_group_skip_destroy" { + description = " Set to true if you do not wish the log group (and any logs it may contain) to be deleted at destroy time, and instead just remove the log group from the Terraform state" + type = bool + default = false +} + +variable "flow_log_cloudwatch_log_group_class" { + description = "Specified the log class of the log group. Possible values are: STANDARD or INFREQUENT_ACCESS" + type = string + default = null +} + +variable "putin_khuylo" { + description = "Do you agree that Putin doesn't respect Ukrainian sovereignty and territorial integrity? More info: https://en.wikipedia.org/wiki/Putin_khuylo!" + type = bool + default = true +} From bb47739358ccec914c64d73d58dc9b5cc2e1bc92 Mon Sep 17 00:00:00 2001 From: Jake Date: Wed, 31 Dec 2025 14:17:19 +0000 Subject: [PATCH 10/17] codex: improve sys tests --- test/assets/terraform/api/git-subdir.yaml | 75 + test/assets/terraform/api/git.yaml | 1357 +++++++++++++++++ test/assets/terraform/api/local.yaml | 35 + .../assets/terraform/api/nested-registry.yaml | 75 + test/assets/terraform/api/registry.yaml | 218 +++ test/init_tf_module_sources_test.go | 112 +- 6 files changed, 1809 insertions(+), 63 deletions(-) create mode 100644 test/assets/terraform/api/git-subdir.yaml create mode 100644 test/assets/terraform/api/git.yaml create mode 100644 test/assets/terraform/api/local.yaml create mode 100644 test/assets/terraform/api/nested-registry.yaml create mode 100644 test/assets/terraform/api/registry.yaml diff --git a/test/assets/terraform/api/git-subdir.yaml b/test/assets/terraform/api/git-subdir.yaml new file mode 100644 index 0000000..6ea5a17 --- /dev/null +++ b/test/assets/terraform/api/git-subdir.yaml @@ -0,0 +1,75 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: examples.example.com +spec: + group: example.com + names: + kind: Example + plural: examples + singular: example + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + type: object + properties: + spec: + default: {} + properties: + create: + default: true + description: Determines whether resources will be created + type: boolean + create_security_group: + default: false + description: Determines if a security group is created + type: boolean + security_group_description: + description: Description of the security group created + type: string + security_group_ids: + default: [] + description: Default security group IDs to associate with the VPC endpoints + items: + type: string + type: array + security_group_name: + description: Name to use on security group created. Conflicts with `security_group_name_prefix` + type: string + security_group_name_prefix: + description: Name prefix to use on security group created. Conflicts with `security_group_name` + type: string + security_group_tags: + additionalProperties: + type: string + default: {} + description: A map of additional tags to add to the security group created + type: object + subnet_ids: + default: [] + description: Default subnets IDs to associate with the VPC endpoints + items: + type: string + type: array + tags: + additionalProperties: + type: string + default: {} + description: A map of tags to use on all resources + type: object + timeouts: + additionalProperties: + type: string + default: {} + description: Define maximum timeout for creating, updating, and deleting VPC endpoint + resources + type: object + vpc_id: + description: The ID of the VPC in which the endpoint will be used + type: string + type: object + + served: true + storage: true diff --git a/test/assets/terraform/api/git.yaml b/test/assets/terraform/api/git.yaml new file mode 100644 index 0000000..70ebca1 --- /dev/null +++ b/test/assets/terraform/api/git.yaml @@ -0,0 +1,1357 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: examples.example.com +spec: + group: example.com + names: + kind: Example + plural: examples + singular: example + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + type: object + properties: + spec: + default: {} + properties: + amazon_side_asn: + default: "64512" + description: The Autonomous System Number (ASN) for the Amazon side of the gateway. + By default the virtual private gateway is created with the current default Amazon + ASN + type: string + azs: + default: [] + description: A list of availability zones names or ids in the region + items: + type: string + type: array + cidr: + default: 10.0.0.0/16 + description: (Optional) The IPv4 CIDR block for the VPC. CIDR can be explicitly + set or it can be derived from IPAM using `ipv4_netmask_length` & `ipv4_ipam_pool_id` + type: string + create_database_internet_gateway_route: + default: false + description: Controls if an internet gateway route for public database access + should be created + type: boolean + create_database_nat_gateway_route: + default: false + description: Controls if a nat gateway route should be created to give internet + access to the database subnets + type: boolean + create_database_subnet_group: + default: true + description: Controls if database subnet group should be created (n.b. database_subnets + must also be set) + type: boolean + create_database_subnet_route_table: + default: false + description: Controls if separate route table for database should be created + type: boolean + create_egress_only_igw: + default: true + description: Controls if an Egress Only Internet Gateway is created and its related + routes + type: boolean + create_elasticache_subnet_group: + default: true + description: Controls if elasticache subnet group should be created + type: boolean + create_elasticache_subnet_route_table: + default: false + description: Controls if separate route table for elasticache should be created + type: boolean + create_flow_log_cloudwatch_iam_role: + default: false + description: Whether to create IAM role for VPC Flow Logs + type: boolean + create_flow_log_cloudwatch_log_group: + default: false + description: Whether to create CloudWatch log group for VPC Flow Logs + type: boolean + create_igw: + default: true + description: Controls if an Internet Gateway is created for public subnets and + the related routes that connect them + type: boolean + create_redshift_subnet_group: + default: true + description: Controls if redshift subnet group should be created + type: boolean + create_redshift_subnet_route_table: + default: false + description: Controls if separate route table for redshift should be created + type: boolean + create_vpc: + default: true + description: Controls if VPC should be created (it affects almost all resources) + type: boolean + customer_gateway_tags: + additionalProperties: + type: string + default: {} + description: Additional tags for the Customer Gateway + type: object + customer_gateways: + additionalProperties: + type: object + x-kubernetes-preserve-unknown-fields: true + default: {} + description: Maps of Customer Gateway's attributes (BGP ASN and Gateway's Internet-routable + external IP address) + type: object + customer_owned_ipv4_pool: + description: The customer owned IPv4 address pool. Typically used with the `map_customer_owned_ip_on_launch` + argument. The `outpost_arn` argument must be specified when configured + type: string + database_acl_tags: + additionalProperties: + type: string + default: {} + description: Additional tags for the database subnets network ACL + type: object + database_dedicated_network_acl: + default: false + description: Whether to use dedicated network ACL (not default) and custom rules + for database subnets + type: boolean + database_inbound_acl_rules: + default: + - cidr_block: 0.0.0.0/0 + from_port: "0" + protocol: "-1" + rule_action: allow + rule_number: "100" + to_port: "0" + description: Database subnets inbound network ACL rules + items: + additionalProperties: + type: string + type: object + type: array + database_outbound_acl_rules: + default: + - cidr_block: 0.0.0.0/0 + from_port: "0" + protocol: "-1" + rule_action: allow + rule_number: "100" + to_port: "0" + description: Database subnets outbound network ACL rules + items: + additionalProperties: + type: string + type: object + type: array + database_route_table_tags: + additionalProperties: + type: string + default: {} + description: Additional tags for the database route tables + type: object + database_subnet_assign_ipv6_address_on_creation: + default: false + description: Specify true to indicate that network interfaces created in the specified + subnet should be assigned an IPv6 address. Default is `false` + type: boolean + database_subnet_enable_dns64: + default: true + description: 'Indicates whether DNS queries made to the Amazon-provided DNS Resolver + in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. + Default: `true`' + type: boolean + database_subnet_enable_resource_name_dns_a_record_on_launch: + default: false + description: 'Indicates whether to respond to DNS queries for instance hostnames + with DNS A records. Default: `false`' + type: boolean + database_subnet_enable_resource_name_dns_aaaa_record_on_launch: + default: true + description: 'Indicates whether to respond to DNS queries for instance hostnames + with DNS AAAA records. Default: `true`' + type: boolean + database_subnet_group_name: + description: Name of database subnet group + type: string + database_subnet_group_tags: + additionalProperties: + type: string + default: {} + description: Additional tags for the database subnet group + type: object + database_subnet_ipv6_native: + default: false + description: 'Indicates whether to create an IPv6-only subnet. Default: `false`' + type: boolean + database_subnet_ipv6_prefixes: + default: [] + description: Assigns IPv6 database subnet id based on the Amazon provided /56 + prefix base 10 integer (0-256). Must be of equal length to the corresponding + IPv4 subnet list + items: + type: string + type: array + database_subnet_names: + default: [] + description: Explicit values to use in the Name tag on database subnets. If empty, + Name tags are generated + items: + type: string + type: array + database_subnet_private_dns_hostname_type_on_launch: + description: 'The type of hostnames to assign to instances in the subnet at launch. + For IPv6-only subnets, an instance DNS name must be based on the instance ID. + For dual-stack and IPv4-only subnets, you can specify whether DNS names use + the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name`' + type: string + database_subnet_suffix: + default: db + description: Suffix to append to database subnets name + type: string + database_subnet_tags: + additionalProperties: + type: string + default: {} + description: Additional tags for the database subnets + type: object + database_subnets: + default: [] + description: A list of database subnets inside the VPC + items: + type: string + type: array + default_network_acl_egress: + default: + - action: allow + cidr_block: 0.0.0.0/0 + from_port: "0" + protocol: "-1" + rule_no: "100" + to_port: "0" + - action: allow + from_port: "0" + ipv6_cidr_block: ::/0 + protocol: "-1" + rule_no: "101" + to_port: "0" + description: List of maps of egress rules to set on the Default Network ACL + items: + additionalProperties: + type: string + type: object + type: array + default_network_acl_ingress: + default: + - action: allow + cidr_block: 0.0.0.0/0 + from_port: "0" + protocol: "-1" + rule_no: "100" + to_port: "0" + - action: allow + from_port: "0" + ipv6_cidr_block: ::/0 + protocol: "-1" + rule_no: "101" + to_port: "0" + description: List of maps of ingress rules to set on the Default Network ACL + items: + additionalProperties: + type: string + type: object + type: array + default_network_acl_name: + description: Name to be used on the Default Network ACL + type: string + default_network_acl_tags: + additionalProperties: + type: string + default: {} + description: Additional tags for the Default Network ACL + type: object + default_route_table_name: + description: Name to be used on the default route table + type: string + default_route_table_propagating_vgws: + default: [] + description: List of virtual gateways for propagation + items: + type: string + type: array + default_route_table_routes: + default: [] + description: Configuration block of routes. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_route_table#route + items: + additionalProperties: + type: string + type: object + type: array + default_route_table_tags: + additionalProperties: + type: string + default: {} + description: Additional tags for the default route table + type: object + default_security_group_egress: + default: [] + description: List of maps of egress rules to set on the default security group + items: + additionalProperties: + type: string + type: object + type: array + default_security_group_ingress: + default: [] + description: List of maps of ingress rules to set on the default security group + items: + additionalProperties: + type: string + type: object + type: array + default_security_group_name: + description: Name to be used on the default security group + type: string + default_security_group_tags: + additionalProperties: + type: string + default: {} + description: Additional tags for the default security group + type: object + default_vpc_enable_dns_hostnames: + default: true + description: Should be true to enable DNS hostnames in the Default VPC + type: boolean + default_vpc_enable_dns_support: + default: true + description: Should be true to enable DNS support in the Default VPC + type: boolean + default_vpc_name: + description: Name to be used on the Default VPC + type: string + default_vpc_tags: + additionalProperties: + type: string + default: {} + description: Additional tags for the Default VPC + type: object + dhcp_options_domain_name: + default: "" + description: Specifies DNS name for DHCP options set (requires enable_dhcp_options + set to true) + type: string + dhcp_options_domain_name_servers: + default: + - AmazonProvidedDNS + description: Specify a list of DNS server addresses for DHCP options set, default + to AWS provided (requires enable_dhcp_options set to true) + items: + type: string + type: array + dhcp_options_netbios_name_servers: + default: [] + description: Specify a list of netbios servers for DHCP options set (requires + enable_dhcp_options set to true) + items: + type: string + type: array + dhcp_options_netbios_node_type: + default: "" + description: Specify netbios node_type for DHCP options set (requires enable_dhcp_options + set to true) + type: string + dhcp_options_ntp_servers: + default: [] + description: Specify a list of NTP servers for DHCP options set (requires enable_dhcp_options + set to true) + items: + type: string + type: array + dhcp_options_tags: + additionalProperties: + type: string + default: {} + description: Additional tags for the DHCP option set (requires enable_dhcp_options + set to true) + type: object + elasticache_acl_tags: + additionalProperties: + type: string + default: {} + description: Additional tags for the elasticache subnets network ACL + type: object + elasticache_dedicated_network_acl: + default: false + description: Whether to use dedicated network ACL (not default) and custom rules + for elasticache subnets + type: boolean + elasticache_inbound_acl_rules: + default: + - cidr_block: 0.0.0.0/0 + from_port: "0" + protocol: "-1" + rule_action: allow + rule_number: "100" + to_port: "0" + description: Elasticache subnets inbound network ACL rules + items: + additionalProperties: + type: string + type: object + type: array + elasticache_outbound_acl_rules: + default: + - cidr_block: 0.0.0.0/0 + from_port: "0" + protocol: "-1" + rule_action: allow + rule_number: "100" + to_port: "0" + description: Elasticache subnets outbound network ACL rules + items: + additionalProperties: + type: string + type: object + type: array + elasticache_route_table_tags: + additionalProperties: + type: string + default: {} + description: Additional tags for the elasticache route tables + type: object + elasticache_subnet_assign_ipv6_address_on_creation: + default: false + description: Specify true to indicate that network interfaces created in the specified + subnet should be assigned an IPv6 address. Default is `false` + type: boolean + elasticache_subnet_enable_dns64: + default: true + description: 'Indicates whether DNS queries made to the Amazon-provided DNS Resolver + in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. + Default: `true`' + type: boolean + elasticache_subnet_enable_resource_name_dns_a_record_on_launch: + default: false + description: 'Indicates whether to respond to DNS queries for instance hostnames + with DNS A records. Default: `false`' + type: boolean + elasticache_subnet_enable_resource_name_dns_aaaa_record_on_launch: + default: true + description: 'Indicates whether to respond to DNS queries for instance hostnames + with DNS AAAA records. Default: `true`' + type: boolean + elasticache_subnet_group_name: + description: Name of elasticache subnet group + type: string + elasticache_subnet_group_tags: + additionalProperties: + type: string + default: {} + description: Additional tags for the elasticache subnet group + type: object + elasticache_subnet_ipv6_native: + default: false + description: 'Indicates whether to create an IPv6-only subnet. Default: `false`' + type: boolean + elasticache_subnet_ipv6_prefixes: + default: [] + description: Assigns IPv6 elasticache subnet id based on the Amazon provided /56 + prefix base 10 integer (0-256). Must be of equal length to the corresponding + IPv4 subnet list + items: + type: string + type: array + elasticache_subnet_names: + default: [] + description: Explicit values to use in the Name tag on elasticache subnets. If + empty, Name tags are generated + items: + type: string + type: array + elasticache_subnet_private_dns_hostname_type_on_launch: + description: 'The type of hostnames to assign to instances in the subnet at launch. + For IPv6-only subnets, an instance DNS name must be based on the instance ID. + For dual-stack and IPv4-only subnets, you can specify whether DNS names use + the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name`' + type: string + elasticache_subnet_suffix: + default: elasticache + description: Suffix to append to elasticache subnets name + type: string + elasticache_subnet_tags: + additionalProperties: + type: string + default: {} + description: Additional tags for the elasticache subnets + type: object + elasticache_subnets: + default: [] + description: A list of elasticache subnets inside the VPC + items: + type: string + type: array + enable_dhcp_options: + default: false + description: Should be true if you want to specify a DHCP options set with a custom + domain name, DNS servers, NTP servers, netbios servers, and/or netbios server + type + type: boolean + enable_dns_hostnames: + default: true + description: Should be true to enable DNS hostnames in the VPC + type: boolean + enable_dns_support: + default: true + description: Should be true to enable DNS support in the VPC + type: boolean + enable_flow_log: + default: false + description: Whether or not to enable VPC Flow Logs + type: boolean + enable_ipv6: + default: false + description: Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length + for the VPC. You cannot specify the range of IP addresses, or the size of the + CIDR block + type: boolean + enable_nat_gateway: + default: false + description: Should be true if you want to provision NAT Gateways for each of + your private networks + type: boolean + enable_network_address_usage_metrics: + description: Determines whether network address usage metrics are enabled for + the VPC + type: boolean + enable_public_redshift: + default: false + description: Controls if redshift should have public routing table + type: boolean + enable_vpn_gateway: + default: false + description: Should be true if you want to create a new VPN Gateway resource and + attach it to the VPC + type: boolean + external_nat_ip_ids: + default: [] + description: List of EIP IDs to be assigned to the NAT Gateways (used in combination + with reuse_nat_ips) + items: + type: string + type: array + external_nat_ips: + default: [] + description: List of EIPs to be used for `nat_public_ips` output (used in combination + with reuse_nat_ips and external_nat_ip_ids) + items: + type: string + type: array + flow_log_cloudwatch_iam_role_arn: + default: "" + description: The ARN for the IAM role that's used to post flow logs to a CloudWatch + Logs log group. When flow_log_destination_arn is set to ARN of Cloudwatch Logs, + this argument needs to be provided + type: string + flow_log_cloudwatch_log_group_class: + description: 'Specified the log class of the log group. Possible values are: STANDARD + or INFREQUENT_ACCESS' + type: string + flow_log_cloudwatch_log_group_kms_key_id: + description: The ARN of the KMS Key to use when encrypting log data for VPC flow + logs + type: string + flow_log_cloudwatch_log_group_name_prefix: + default: /aws/vpc-flow-log/ + description: Specifies the name prefix of CloudWatch Log Group for VPC flow logs + type: string + flow_log_cloudwatch_log_group_name_suffix: + default: "" + description: Specifies the name suffix of CloudWatch Log Group for VPC flow logs + type: string + flow_log_cloudwatch_log_group_retention_in_days: + description: Specifies the number of days you want to retain log events in the + specified log group for VPC flow logs + type: number + flow_log_cloudwatch_log_group_skip_destroy: + default: false + description: ' Set to true if you do not wish the log group (and any logs it may + contain) to be deleted at destroy time, and instead just remove the log group + from the Terraform state' + type: boolean + flow_log_deliver_cross_account_role: + description: (Optional) ARN of the IAM role that allows Amazon EC2 to publish + flow logs across accounts. + type: string + flow_log_destination_arn: + default: "" + description: The ARN of the CloudWatch log group or S3 bucket where VPC Flow Logs + will be pushed. If this ARN is a S3 bucket the appropriate permissions need + to be set on that bucket's policy. When create_flow_log_cloudwatch_log_group + is set to false this argument must be provided + type: string + flow_log_destination_type: + default: cloud-watch-logs + description: Type of flow log destination. Can be s3, kinesis-data-firehose or + cloud-watch-logs + type: string + flow_log_file_format: + description: '(Optional) The format for the flow log. Valid values: `plain-text`, + `parquet`' + type: string + flow_log_hive_compatible_partitions: + default: false + description: (Optional) Indicates whether to use Hive-compatible prefixes for + flow logs stored in Amazon S3 + type: boolean + flow_log_log_format: + description: The fields to include in the flow log record, in the order in which + they should appear + type: string + flow_log_max_aggregation_interval: + default: 600 + description: 'The maximum interval of time during which a flow of packets is captured + and aggregated into a flow log record. Valid Values: `60` seconds or `600` seconds' + type: number + flow_log_per_hour_partition: + default: false + description: (Optional) Indicates whether to partition the flow log per hour. + This reduces the cost and response time for queries + type: boolean + flow_log_traffic_type: + default: ALL + description: 'The type of traffic to capture. Valid values: ACCEPT, REJECT, ALL' + type: string + igw_tags: + additionalProperties: + type: string + default: {} + description: Additional tags for the internet gateway + type: object + instance_tenancy: + default: default + description: A tenancy option for instances launched into the VPC + type: string + intra_acl_tags: + additionalProperties: + type: string + default: {} + description: Additional tags for the intra subnets network ACL + type: object + intra_dedicated_network_acl: + default: false + description: Whether to use dedicated network ACL (not default) and custom rules + for intra subnets + type: boolean + intra_inbound_acl_rules: + default: + - cidr_block: 0.0.0.0/0 + from_port: "0" + protocol: "-1" + rule_action: allow + rule_number: "100" + to_port: "0" + description: Intra subnets inbound network ACLs + items: + additionalProperties: + type: string + type: object + type: array + intra_outbound_acl_rules: + default: + - cidr_block: 0.0.0.0/0 + from_port: "0" + protocol: "-1" + rule_action: allow + rule_number: "100" + to_port: "0" + description: Intra subnets outbound network ACLs + items: + additionalProperties: + type: string + type: object + type: array + intra_route_table_tags: + additionalProperties: + type: string + default: {} + description: Additional tags for the intra route tables + type: object + intra_subnet_assign_ipv6_address_on_creation: + default: false + description: Specify true to indicate that network interfaces created in the specified + subnet should be assigned an IPv6 address. Default is `false` + type: boolean + intra_subnet_enable_dns64: + default: true + description: 'Indicates whether DNS queries made to the Amazon-provided DNS Resolver + in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. + Default: `true`' + type: boolean + intra_subnet_enable_resource_name_dns_a_record_on_launch: + default: false + description: 'Indicates whether to respond to DNS queries for instance hostnames + with DNS A records. Default: `false`' + type: boolean + intra_subnet_enable_resource_name_dns_aaaa_record_on_launch: + default: true + description: 'Indicates whether to respond to DNS queries for instance hostnames + with DNS AAAA records. Default: `true`' + type: boolean + intra_subnet_ipv6_native: + default: false + description: 'Indicates whether to create an IPv6-only subnet. Default: `false`' + type: boolean + intra_subnet_ipv6_prefixes: + default: [] + description: Assigns IPv6 intra subnet id based on the Amazon provided /56 prefix + base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet + list + items: + type: string + type: array + intra_subnet_names: + default: [] + description: Explicit values to use in the Name tag on intra subnets. If empty, + Name tags are generated + items: + type: string + type: array + intra_subnet_private_dns_hostname_type_on_launch: + description: 'The type of hostnames to assign to instances in the subnet at launch. + For IPv6-only subnets, an instance DNS name must be based on the instance ID. + For dual-stack and IPv4-only subnets, you can specify whether DNS names use + the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name`' + type: string + intra_subnet_suffix: + default: intra + description: Suffix to append to intra subnets name + type: string + intra_subnet_tags: + additionalProperties: + type: string + default: {} + description: Additional tags for the intra subnets + type: object + intra_subnets: + default: [] + description: A list of intra subnets inside the VPC + items: + type: string + type: array + ipv4_ipam_pool_id: + description: (Optional) The ID of an IPv4 IPAM pool you want to use for allocating + this VPC's CIDR + type: string + ipv4_netmask_length: + description: (Optional) The netmask length of the IPv4 CIDR you want to allocate + to this VPC. Requires specifying a ipv4_ipam_pool_id + type: number + ipv6_cidr: + description: (Optional) IPv6 CIDR block to request from an IPAM Pool. Can be set + explicitly or derived from IPAM using `ipv6_netmask_length` + type: string + ipv6_cidr_block_network_border_group: + description: By default when an IPv6 CIDR is assigned to a VPC a default ipv6_cidr_block_network_border_group + will be set to the region of the VPC. This can be changed to restrict advertisement + of public addresses to specific Network Border Groups such as LocalZones + type: string + ipv6_ipam_pool_id: + description: (Optional) IPAM Pool ID for a IPv6 pool. Conflicts with `assign_generated_ipv6_cidr_block` + type: string + ipv6_netmask_length: + description: '(Optional) Netmask length to request from IPAM Pool. Conflicts with + `ipv6_cidr_block`. This can be omitted if IPAM pool as a `allocation_default_netmask_length` + set. Valid values: `56`' + type: number + manage_default_network_acl: + default: true + description: Should be true to adopt and manage Default Network ACL + type: boolean + manage_default_route_table: + default: true + description: Should be true to manage default route table + type: boolean + manage_default_security_group: + default: true + description: Should be true to adopt and manage default security group + type: boolean + manage_default_vpc: + default: false + description: Should be true to adopt and manage Default VPC + type: boolean + map_customer_owned_ip_on_launch: + default: false + description: Specify true to indicate that network interfaces created in the subnet + should be assigned a customer owned IP address. The `customer_owned_ipv4_pool` + and `outpost_arn` arguments must be specified when set to `true`. Default is + `false` + type: boolean + map_public_ip_on_launch: + default: false + description: Specify true to indicate that instances launched into the subnet + should be assigned a public IP address. Default is `false` + type: boolean + name: + default: "" + description: Name to be used on all the resources as identifier + type: string + nat_eip_tags: + additionalProperties: + type: string + default: {} + description: Additional tags for the NAT EIP + type: object + nat_gateway_destination_cidr_block: + default: 0.0.0.0/0 + description: Used to pass a custom destination route for private NAT Gateway. + If not specified, the default 0.0.0.0/0 is used as a destination route + type: string + nat_gateway_tags: + additionalProperties: + type: string + default: {} + description: Additional tags for the NAT gateways + type: object + one_nat_gateway_per_az: + default: false + description: Should be true if you want only one NAT Gateway per availability + zone. Requires `var.azs` to be set, and the number of `public_subnets` created + to be greater than or equal to the number of availability zones specified in + `var.azs` + type: boolean + outpost_acl_tags: + additionalProperties: + type: string + default: {} + description: Additional tags for the outpost subnets network ACL + type: object + outpost_arn: + description: ARN of Outpost you want to create a subnet in + type: string + outpost_az: + description: AZ where Outpost is anchored + type: string + outpost_dedicated_network_acl: + default: false + description: Whether to use dedicated network ACL (not default) and custom rules + for outpost subnets + type: boolean + outpost_inbound_acl_rules: + default: + - cidr_block: 0.0.0.0/0 + from_port: "0" + protocol: "-1" + rule_action: allow + rule_number: "100" + to_port: "0" + description: Outpost subnets inbound network ACLs + items: + additionalProperties: + type: string + type: object + type: array + outpost_outbound_acl_rules: + default: + - cidr_block: 0.0.0.0/0 + from_port: "0" + protocol: "-1" + rule_action: allow + rule_number: "100" + to_port: "0" + description: Outpost subnets outbound network ACLs + items: + additionalProperties: + type: string + type: object + type: array + outpost_subnet_assign_ipv6_address_on_creation: + default: false + description: Specify true to indicate that network interfaces created in the specified + subnet should be assigned an IPv6 address. Default is `false` + type: boolean + outpost_subnet_enable_dns64: + default: true + description: 'Indicates whether DNS queries made to the Amazon-provided DNS Resolver + in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. + Default: `true`' + type: boolean + outpost_subnet_enable_resource_name_dns_a_record_on_launch: + default: false + description: 'Indicates whether to respond to DNS queries for instance hostnames + with DNS A records. Default: `false`' + type: boolean + outpost_subnet_enable_resource_name_dns_aaaa_record_on_launch: + default: true + description: 'Indicates whether to respond to DNS queries for instance hostnames + with DNS AAAA records. Default: `true`' + type: boolean + outpost_subnet_ipv6_native: + default: false + description: 'Indicates whether to create an IPv6-only subnet. Default: `false`' + type: boolean + outpost_subnet_ipv6_prefixes: + default: [] + description: Assigns IPv6 outpost subnet id based on the Amazon provided /56 prefix + base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet + list + items: + type: string + type: array + outpost_subnet_names: + default: [] + description: Explicit values to use in the Name tag on outpost subnets. If empty, + Name tags are generated + items: + type: string + type: array + outpost_subnet_private_dns_hostname_type_on_launch: + description: 'The type of hostnames to assign to instances in the subnet at launch. + For IPv6-only subnets, an instance DNS name must be based on the instance ID. + For dual-stack and IPv4-only subnets, you can specify whether DNS names use + the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name`' + type: string + outpost_subnet_suffix: + default: outpost + description: Suffix to append to outpost subnets name + type: string + outpost_subnet_tags: + additionalProperties: + type: string + default: {} + description: Additional tags for the outpost subnets + type: object + outpost_subnets: + default: [] + description: A list of outpost subnets inside the VPC + items: + type: string + type: array + private_acl_tags: + additionalProperties: + type: string + default: {} + description: Additional tags for the private subnets network ACL + type: object + private_dedicated_network_acl: + default: false + description: Whether to use dedicated network ACL (not default) and custom rules + for private subnets + type: boolean + private_inbound_acl_rules: + default: + - cidr_block: 0.0.0.0/0 + from_port: "0" + protocol: "-1" + rule_action: allow + rule_number: "100" + to_port: "0" + description: Private subnets inbound network ACLs + items: + additionalProperties: + type: string + type: object + type: array + private_outbound_acl_rules: + default: + - cidr_block: 0.0.0.0/0 + from_port: "0" + protocol: "-1" + rule_action: allow + rule_number: "100" + to_port: "0" + description: Private subnets outbound network ACLs + items: + additionalProperties: + type: string + type: object + type: array + private_route_table_tags: + additionalProperties: + type: string + default: {} + description: Additional tags for the private route tables + type: object + private_subnet_assign_ipv6_address_on_creation: + default: false + description: Specify true to indicate that network interfaces created in the specified + subnet should be assigned an IPv6 address. Default is `false` + type: boolean + private_subnet_enable_dns64: + default: true + description: 'Indicates whether DNS queries made to the Amazon-provided DNS Resolver + in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. + Default: `true`' + type: boolean + private_subnet_enable_resource_name_dns_a_record_on_launch: + default: false + description: 'Indicates whether to respond to DNS queries for instance hostnames + with DNS A records. Default: `false`' + type: boolean + private_subnet_enable_resource_name_dns_aaaa_record_on_launch: + default: true + description: 'Indicates whether to respond to DNS queries for instance hostnames + with DNS AAAA records. Default: `true`' + type: boolean + private_subnet_ipv6_native: + default: false + description: 'Indicates whether to create an IPv6-only subnet. Default: `false`' + type: boolean + private_subnet_ipv6_prefixes: + default: [] + description: Assigns IPv6 private subnet id based on the Amazon provided /56 prefix + base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet + list + items: + type: string + type: array + private_subnet_names: + default: [] + description: Explicit values to use in the Name tag on private subnets. If empty, + Name tags are generated + items: + type: string + type: array + private_subnet_private_dns_hostname_type_on_launch: + description: 'The type of hostnames to assign to instances in the subnet at launch. + For IPv6-only subnets, an instance DNS name must be based on the instance ID. + For dual-stack and IPv4-only subnets, you can specify whether DNS names use + the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name`' + type: string + private_subnet_suffix: + default: private + description: Suffix to append to private subnets name + type: string + private_subnet_tags: + additionalProperties: + type: string + default: {} + description: Additional tags for the private subnets + type: object + private_subnet_tags_per_az: + additionalProperties: + additionalProperties: + type: string + type: object + default: {} + description: Additional tags for the private subnets where the primary key is + the AZ + type: object + private_subnets: + default: [] + description: A list of private subnets inside the VPC + items: + type: string + type: array + propagate_intra_route_tables_vgw: + default: false + description: Should be true if you want route table propagation + type: boolean + propagate_private_route_tables_vgw: + default: false + description: Should be true if you want route table propagation + type: boolean + propagate_public_route_tables_vgw: + default: false + description: Should be true if you want route table propagation + type: boolean + public_acl_tags: + additionalProperties: + type: string + default: {} + description: Additional tags for the public subnets network ACL + type: object + public_dedicated_network_acl: + default: false + description: Whether to use dedicated network ACL (not default) and custom rules + for public subnets + type: boolean + public_inbound_acl_rules: + default: + - cidr_block: 0.0.0.0/0 + from_port: "0" + protocol: "-1" + rule_action: allow + rule_number: "100" + to_port: "0" + description: Public subnets inbound network ACLs + items: + additionalProperties: + type: string + type: object + type: array + public_outbound_acl_rules: + default: + - cidr_block: 0.0.0.0/0 + from_port: "0" + protocol: "-1" + rule_action: allow + rule_number: "100" + to_port: "0" + description: Public subnets outbound network ACLs + items: + additionalProperties: + type: string + type: object + type: array + public_route_table_tags: + additionalProperties: + type: string + default: {} + description: Additional tags for the public route tables + type: object + public_subnet_assign_ipv6_address_on_creation: + default: false + description: Specify true to indicate that network interfaces created in the specified + subnet should be assigned an IPv6 address. Default is `false` + type: boolean + public_subnet_enable_dns64: + default: true + description: 'Indicates whether DNS queries made to the Amazon-provided DNS Resolver + in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. + Default: `true`' + type: boolean + public_subnet_enable_resource_name_dns_a_record_on_launch: + default: false + description: 'Indicates whether to respond to DNS queries for instance hostnames + with DNS A records. Default: `false`' + type: boolean + public_subnet_enable_resource_name_dns_aaaa_record_on_launch: + default: true + description: 'Indicates whether to respond to DNS queries for instance hostnames + with DNS AAAA records. Default: `true`' + type: boolean + public_subnet_ipv6_native: + default: false + description: 'Indicates whether to create an IPv6-only subnet. Default: `false`' + type: boolean + public_subnet_ipv6_prefixes: + default: [] + description: Assigns IPv6 public subnet id based on the Amazon provided /56 prefix + base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet + list + items: + type: string + type: array + public_subnet_names: + default: [] + description: Explicit values to use in the Name tag on public subnets. If empty, + Name tags are generated + items: + type: string + type: array + public_subnet_private_dns_hostname_type_on_launch: + description: 'The type of hostnames to assign to instances in the subnet at launch. + For IPv6-only subnets, an instance DNS name must be based on the instance ID. + For dual-stack and IPv4-only subnets, you can specify whether DNS names use + the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name`' + type: string + public_subnet_suffix: + default: public + description: Suffix to append to public subnets name + type: string + public_subnet_tags: + additionalProperties: + type: string + default: {} + description: Additional tags for the public subnets + type: object + public_subnet_tags_per_az: + additionalProperties: + additionalProperties: + type: string + type: object + default: {} + description: Additional tags for the public subnets where the primary key is the + AZ + type: object + public_subnets: + default: [] + description: A list of public subnets inside the VPC + items: + type: string + type: array + putin_khuylo: + default: true + description: 'Do you agree that Putin doesn''t respect Ukrainian sovereignty and + territorial integrity? More info: https://en.wikipedia.org/wiki/Putin_khuylo!' + type: boolean + redshift_acl_tags: + additionalProperties: + type: string + default: {} + description: Additional tags for the redshift subnets network ACL + type: object + redshift_dedicated_network_acl: + default: false + description: Whether to use dedicated network ACL (not default) and custom rules + for redshift subnets + type: boolean + redshift_inbound_acl_rules: + default: + - cidr_block: 0.0.0.0/0 + from_port: "0" + protocol: "-1" + rule_action: allow + rule_number: "100" + to_port: "0" + description: Redshift subnets inbound network ACL rules + items: + additionalProperties: + type: string + type: object + type: array + redshift_outbound_acl_rules: + default: + - cidr_block: 0.0.0.0/0 + from_port: "0" + protocol: "-1" + rule_action: allow + rule_number: "100" + to_port: "0" + description: Redshift subnets outbound network ACL rules + items: + additionalProperties: + type: string + type: object + type: array + redshift_route_table_tags: + additionalProperties: + type: string + default: {} + description: Additional tags for the redshift route tables + type: object + redshift_subnet_assign_ipv6_address_on_creation: + default: false + description: Specify true to indicate that network interfaces created in the specified + subnet should be assigned an IPv6 address. Default is `false` + type: boolean + redshift_subnet_enable_dns64: + default: true + description: 'Indicates whether DNS queries made to the Amazon-provided DNS Resolver + in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. + Default: `true`' + type: boolean + redshift_subnet_enable_resource_name_dns_a_record_on_launch: + default: false + description: 'Indicates whether to respond to DNS queries for instance hostnames + with DNS A records. Default: `false`' + type: boolean + redshift_subnet_enable_resource_name_dns_aaaa_record_on_launch: + default: true + description: 'Indicates whether to respond to DNS queries for instance hostnames + with DNS AAAA records. Default: `true`' + type: boolean + redshift_subnet_group_name: + description: Name of redshift subnet group + type: string + redshift_subnet_group_tags: + additionalProperties: + type: string + default: {} + description: Additional tags for the redshift subnet group + type: object + redshift_subnet_ipv6_native: + default: false + description: 'Indicates whether to create an IPv6-only subnet. Default: `false`' + type: boolean + redshift_subnet_ipv6_prefixes: + default: [] + description: Assigns IPv6 redshift subnet id based on the Amazon provided /56 + prefix base 10 integer (0-256). Must be of equal length to the corresponding + IPv4 subnet list + items: + type: string + type: array + redshift_subnet_names: + default: [] + description: Explicit values to use in the Name tag on redshift subnets. If empty, + Name tags are generated + items: + type: string + type: array + redshift_subnet_private_dns_hostname_type_on_launch: + description: 'The type of hostnames to assign to instances in the subnet at launch. + For IPv6-only subnets, an instance DNS name must be based on the instance ID. + For dual-stack and IPv4-only subnets, you can specify whether DNS names use + the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name`' + type: string + redshift_subnet_suffix: + default: redshift + description: Suffix to append to redshift subnets name + type: string + redshift_subnet_tags: + additionalProperties: + type: string + default: {} + description: Additional tags for the redshift subnets + type: object + redshift_subnets: + default: [] + description: A list of redshift subnets inside the VPC + items: + type: string + type: array + reuse_nat_ips: + default: false + description: Should be true if you don't want EIPs to be created for your NAT + Gateways and will instead pass them in via the 'external_nat_ip_ids' variable + type: boolean + secondary_cidr_blocks: + default: [] + description: List of secondary CIDR blocks to associate with the VPC to extend + the IP Address pool + items: + type: string + type: array + single_nat_gateway: + default: false + description: Should be true if you want to provision a single shared NAT Gateway + across all of your private networks + type: boolean + tags: + additionalProperties: + type: string + default: {} + description: A map of tags to add to all resources + type: object + use_ipam_pool: + default: false + description: Determines whether IPAM pool is used for CIDR allocation + type: boolean + vpc_flow_log_permissions_boundary: + description: The ARN of the Permissions Boundary for the VPC Flow Log IAM Role + type: string + vpc_flow_log_tags: + additionalProperties: + type: string + default: {} + description: Additional tags for the VPC Flow Logs + type: object + vpc_tags: + additionalProperties: + type: string + default: {} + description: Additional tags for the VPC + type: object + vpn_gateway_az: + description: The Availability Zone for the VPN Gateway + type: string + vpn_gateway_id: + default: "" + description: ID of VPN Gateway to attach to the VPC + type: string + vpn_gateway_tags: + additionalProperties: + type: string + default: {} + description: Additional tags for the VPN gateway + type: object + type: object + + served: true + storage: true diff --git a/test/assets/terraform/api/local.yaml b/test/assets/terraform/api/local.yaml new file mode 100644 index 0000000..8a50616 --- /dev/null +++ b/test/assets/terraform/api/local.yaml @@ -0,0 +1,35 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: examples.example.com +spec: + group: example.com + names: + kind: Example + plural: examples + singular: example + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + type: object + properties: + spec: + default: {} + properties: + name: + description: Name for the resource + type: string + size: + default: 1 + type: number + tags: + additionalProperties: + type: string + default: {} + type: object + type: object + + served: true + storage: true diff --git a/test/assets/terraform/api/nested-registry.yaml b/test/assets/terraform/api/nested-registry.yaml new file mode 100644 index 0000000..6ea5a17 --- /dev/null +++ b/test/assets/terraform/api/nested-registry.yaml @@ -0,0 +1,75 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: examples.example.com +spec: + group: example.com + names: + kind: Example + plural: examples + singular: example + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + type: object + properties: + spec: + default: {} + properties: + create: + default: true + description: Determines whether resources will be created + type: boolean + create_security_group: + default: false + description: Determines if a security group is created + type: boolean + security_group_description: + description: Description of the security group created + type: string + security_group_ids: + default: [] + description: Default security group IDs to associate with the VPC endpoints + items: + type: string + type: array + security_group_name: + description: Name to use on security group created. Conflicts with `security_group_name_prefix` + type: string + security_group_name_prefix: + description: Name prefix to use on security group created. Conflicts with `security_group_name` + type: string + security_group_tags: + additionalProperties: + type: string + default: {} + description: A map of additional tags to add to the security group created + type: object + subnet_ids: + default: [] + description: Default subnets IDs to associate with the VPC endpoints + items: + type: string + type: array + tags: + additionalProperties: + type: string + default: {} + description: A map of tags to use on all resources + type: object + timeouts: + additionalProperties: + type: string + default: {} + description: Define maximum timeout for creating, updating, and deleting VPC endpoint + resources + type: object + vpc_id: + description: The ID of the VPC in which the endpoint will be used + type: string + type: object + + served: true + storage: true diff --git a/test/assets/terraform/api/registry.yaml b/test/assets/terraform/api/registry.yaml new file mode 100644 index 0000000..2034768 --- /dev/null +++ b/test/assets/terraform/api/registry.yaml @@ -0,0 +1,218 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: examples.example.com +spec: + group: example.com + names: + kind: Example + plural: examples + singular: example + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + type: object + properties: + spec: + default: {} + properties: + acceleration_status: + description: (Optional) Sets the accelerate configuration of an existing bucket. + Can be Enabled or Suspended. + type: string + access_log_delivery_policy_source_accounts: + default: [] + description: (Optional) List of AWS Account IDs should be allowed to deliver access + logs to this bucket. + items: + type: string + type: array + access_log_delivery_policy_source_buckets: + default: [] + description: (Optional) List of S3 bucket ARNs which should be allowed to deliver + access logs to this bucket. + items: + type: string + type: array + acl: + description: (Optional) The canned ACL to apply. Conflicts with `grant` + type: string + allowed_kms_key_arn: + description: The ARN of KMS key which should be allowed in PutObject + type: string + analytics_self_source_destination: + default: false + description: Whether or not the analytics source bucket is also the destination + bucket. + type: boolean + analytics_source_account_id: + description: The analytics source account id. + type: string + analytics_source_bucket_arn: + description: The analytics source bucket ARN. + type: string + attach_access_log_delivery_policy: + default: false + description: Controls if S3 bucket should have S3 access log delivery policy attached + type: boolean + attach_analytics_destination_policy: + default: false + description: Controls if S3 bucket should have bucket analytics destination policy + attached. + type: boolean + attach_deny_incorrect_encryption_headers: + default: false + description: Controls if S3 bucket should deny incorrect encryption headers policy + attached. + type: boolean + attach_deny_incorrect_kms_key_sse: + default: false + description: Controls if S3 bucket policy should deny usage of incorrect KMS key + SSE. + type: boolean + attach_deny_insecure_transport_policy: + default: false + description: Controls if S3 bucket should have deny non-SSL transport policy attached + type: boolean + attach_deny_unencrypted_object_uploads: + default: false + description: Controls if S3 bucket should deny unencrypted object uploads policy + attached. + type: boolean + attach_elb_log_delivery_policy: + default: false + description: Controls if S3 bucket should have ELB log delivery policy attached + type: boolean + attach_inventory_destination_policy: + default: false + description: Controls if S3 bucket should have bucket inventory destination policy + attached. + type: boolean + attach_lb_log_delivery_policy: + default: false + description: Controls if S3 bucket should have ALB/NLB log delivery policy attached + type: boolean + attach_policy: + default: false + description: Controls if S3 bucket should have bucket policy attached (set to + `true` to use value of `policy` as bucket policy) + type: boolean + attach_public_policy: + default: true + description: Controls if a user defined public bucket policy will be attached + (set to `false` to allow upstream to apply defaults to the bucket) + type: boolean + attach_require_latest_tls_policy: + default: false + description: Controls if S3 bucket should require the latest version of TLS + type: boolean + block_public_acls: + default: true + description: Whether Amazon S3 should block public ACLs for this bucket. + type: boolean + block_public_policy: + default: true + description: Whether Amazon S3 should block public bucket policies for this bucket. + type: boolean + bucket: + description: (Optional, Forces new resource) The name of the bucket. If omitted, + Terraform will assign a random, unique name. + type: string + bucket_prefix: + description: (Optional, Forces new resource) Creates a unique bucket name beginning + with the specified prefix. Conflicts with bucket. + type: string + control_object_ownership: + default: false + description: Whether to manage S3 Bucket Ownership Controls on this bucket. + type: boolean + create_bucket: + default: true + description: Controls if S3 bucket should be created + type: boolean + expected_bucket_owner: + description: The account ID of the expected bucket owner + type: string + force_destroy: + default: false + description: (Optional, Default:false ) A boolean that indicates all objects should + be deleted from the bucket so that the bucket can be destroyed without error. + These objects are not recoverable. + type: boolean + ignore_public_acls: + default: true + description: Whether Amazon S3 should ignore public ACLs for this bucket. + type: boolean + inventory_self_source_destination: + default: false + description: Whether or not the inventory source bucket is also the destination + bucket. + type: boolean + inventory_source_account_id: + description: The inventory source account id. + type: string + inventory_source_bucket_arn: + description: The inventory source bucket ARN. + type: string + object_lock_enabled: + default: false + description: Whether S3 bucket should have an Object Lock configuration enabled. + type: boolean + object_ownership: + default: BucketOwnerEnforced + description: 'Object ownership. Valid values: BucketOwnerEnforced, BucketOwnerPreferred + or ObjectWriter. ''BucketOwnerEnforced'': ACLs are disabled, and the bucket + owner automatically owns and has full control over every object in the bucket. + ''BucketOwnerPreferred'': Objects uploaded to the bucket change ownership to + the bucket owner if the objects are uploaded with the bucket-owner-full-control + canned ACL. ''ObjectWriter'': The uploading account will own the object if the + object is uploaded with the bucket-owner-full-control canned ACL.' + type: string + owner: + additionalProperties: + type: string + default: {} + description: Bucket owner's display name and ID. Conflicts with `acl` + type: object + policy: + description: (Optional) A valid bucket policy JSON document. Note that if the + policy document is not specific enough (but still valid), Terraform may view + the policy as constantly changing in a terraform plan. In this case, please + make sure you use the verbose/specific version of the policy. For more information + about building AWS IAM policy documents with Terraform, see the AWS IAM Policy + Document Guide. + type: string + putin_khuylo: + default: true + description: 'Do you agree that Putin doesn''t respect Ukrainian sovereignty and + territorial integrity? More info: https://en.wikipedia.org/wiki/Putin_khuylo!' + type: boolean + request_payer: + description: (Optional) Specifies who should bear the cost of Amazon S3 data transfer. + Can be either BucketOwner or Requester. By default, the owner of the S3 bucket + would incur the costs of any data transfer. See Requester Pays Buckets developer + guide for more information. + type: string + restrict_public_buckets: + default: true + description: Whether Amazon S3 should restrict public bucket policies for this + bucket. + type: boolean + tags: + additionalProperties: + type: string + default: {} + description: (Optional) A mapping of tags to assign to the bucket. + type: object + versioning: + additionalProperties: + type: string + default: {} + description: Map containing versioning configuration. + type: object + type: object + + served: true + storage: true diff --git a/test/init_tf_module_sources_test.go b/test/init_tf_module_sources_test.go index cd19df5..d4d437e 100644 --- a/test/init_tf_module_sources_test.go +++ b/test/init_tf_module_sources_test.go @@ -8,7 +8,7 @@ import ( . "github.com/onsi/gomega" "github.com/onsi/gomega/gbytes" "github.com/onsi/gomega/gexec" - "github.com/syntasso/kratix-cli/internal" + apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" "sigs.k8s.io/yaml" ) @@ -17,7 +17,7 @@ type moduleTestCase struct { moduleSource string moduleRegistryVer string expectRegistryEnv bool - expectedTypesFile string + expectedAPIPath string } var _ = Describe("InitTerraformPromise source integration", func() { @@ -25,9 +25,11 @@ var _ = Describe("InitTerraformPromise source integration", func() { Expect(err).NotTo(HaveOccurred()) localModulePath := filepath.Join(cwd, "assets", "terraform", "modules", "local", "basic") - vpcFixture := filepath.Join(cwd, "assets", "terraform", "vars", "vpc-variables.tf") - s3Fixture := filepath.Join(cwd, "assets", "terraform", "vars", "registry-variables.tf") - nestedFixture := filepath.Join(cwd, "assets", "terraform", "vars", "nested-registry-variables.tf") + vpcAPI := filepath.Join(cwd, "assets", "terraform", "api", "git.yaml") + vpcSubdirAPI := filepath.Join(cwd, "assets", "terraform", "api", "git-subdir.yaml") + s3API := filepath.Join(cwd, "assets", "terraform", "api", "registry.yaml") + nestedAPI := filepath.Join(cwd, "assets", "terraform", "api", "nested-registry.yaml") + localAPI := filepath.Join(cwd, "assets", "terraform", "api", "local.yaml") DescribeTable("generates promise schema and workflow envs", func(tc moduleTestCase) { @@ -37,7 +39,7 @@ var _ = Describe("InitTerraformPromise source integration", func() { r := &runner{ exitCode: 0, - Path: os.Getenv("PATH"), + Path: "/opt/homebrew/bin:" + os.Getenv("PATH"), flags: map[string]string{ "--group": "example.com", "--kind": "Example", @@ -65,21 +67,25 @@ var _ = Describe("InitTerraformPromise source integration", func() { } actual := readSpecTypes(workingDir) - expected := expectedTypesFromFixture(tc.expectedTypesFile) + expected := readCRDTypes(tc.expectedAPIPath) Expect(actual).To(Equal(expected)) + + actualCRD := readCRD(workingDir) + expectedCRD := readCRDFromPath(tc.expectedAPIPath) + Expect(actualCRD).To(Equal(expectedCRD)) }, Entry("open source git repo with ref", moduleTestCase{ - name: "git vpc", - moduleSource: "git::https://github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v5.7.0", - expectedTypesFile: vpcFixture, + name: "git vpc", + moduleSource: "git::https://github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v5.7.0", + expectedAPIPath: vpcAPI, }, ), - Entry("git repo subdir (mono-repo style)", + Entry("private git repo placeholder with subdir (mono-repo style)", moduleTestCase{ - name: "git subdir", - moduleSource: "git::https://github.com/terraform-aws-modules/terraform-aws-vpc.git//modules/vpc-endpoints?ref=v5.7.0", - expectedTypesFile: nestedFixture, + name: "git subdir", + moduleSource: "git::https://github.com/terraform-aws-modules/terraform-aws-vpc.git//modules/vpc-endpoints?ref=v5.7.0", + expectedAPIPath: vpcSubdirAPI, }, ), Entry("registry with version", @@ -88,7 +94,7 @@ var _ = Describe("InitTerraformPromise source integration", func() { moduleSource: "terraform-aws-modules/s3-bucket/aws", moduleRegistryVer: "4.1.2", expectRegistryEnv: true, - expectedTypesFile: s3Fixture, + expectedAPIPath: s3API, }, ), Entry("nested registry with version", @@ -97,21 +103,14 @@ var _ = Describe("InitTerraformPromise source integration", func() { moduleSource: "terraform-aws-modules/vpc/aws//modules/vpc-endpoints", moduleRegistryVer: "5.7.0", expectRegistryEnv: true, - expectedTypesFile: nestedFixture, - }, - ), - Entry("registry without version", - moduleTestCase{ - name: "registry without version", - moduleSource: "terraform-aws-modules/vpc/aws", - expectedTypesFile: vpcFixture, + expectedAPIPath: nestedAPI, }, ), Entry("local filesystem module", moduleTestCase{ - name: "local module", - moduleSource: localModulePath, - expectedTypesFile: filepath.Join(localModulePath, "variables.tf"), + name: "local module", + moduleSource: localModulePath, + expectedAPIPath: localAPI, }, ), ) @@ -148,52 +147,39 @@ func readWorkflowEnvs(workingDir string) map[string]string { } func readSpecTypes(workingDir string) map[string]string { - apiPath := filepath.Join(workingDir, "api.yaml") - contents, err := os.ReadFile(apiPath) - if err != nil { - contents, err = os.ReadFile(filepath.Join(workingDir, "promise.yaml")) - Expect(err).NotTo(HaveOccurred()) - } - - var doc map[string]any - Expect(yaml.Unmarshal(contents, &doc)).To(Succeed()) - - if kind, _ := doc["kind"].(string); kind == "Promise" { - spec, _ := doc["spec"].(map[string]any) - api, _ := spec["api"].(map[string]any) - doc = api - } - - spec, _ := doc["spec"].(map[string]any) - versions, _ := spec["versions"].([]any) - Expect(versions).ToNot(BeEmpty()) - firstVersion, _ := versions[0].(map[string]any) - schema, _ := firstVersion["schema"].(map[string]any) - openAPISchema, _ := schema["openAPIV3Schema"].(map[string]any) - properties, _ := openAPISchema["properties"].(map[string]any) - specProps, _ := properties["spec"].(map[string]any) - propMap, _ := specProps["properties"].(map[string]any) - Expect(propMap).ToNot(BeNil()) + crd := readCRD(workingDir) + specProps := crd.Spec.Versions[0].Schema.OpenAPIV3Schema.Properties["spec"].Properties result := map[string]string{} - for name, raw := range propMap { - rawMap, _ := raw.(map[string]any) - typ, _ := rawMap["type"].(string) - result[name] = typ + for name, prop := range specProps { + result[name] = prop.Type } - return result } -func expectedTypesFromFixture(fixturePath string) map[string]string { - vars, err := internal.GetVariablesFromModule(fixturePath, "") - Expect(err).NotTo(HaveOccurred()) - schema, warnings := internal.VariablesToCRDSpecSchema(vars) - Expect(warnings).To(BeEmpty()) +func readCRDTypes(fixturePath string) map[string]string { + expected := readCRDFromPath(fixturePath) + specProps := expected.Spec.Versions[0].Schema.OpenAPIV3Schema.Properties["spec"].Properties result := map[string]string{} - for name, prop := range schema.Properties { + for name, prop := range specProps { result[name] = prop.Type } return result } + +func readCRD(workingDir string) apiextensionsv1.CustomResourceDefinition { + path := filepath.Join(workingDir, "api.yaml") + if _, err := os.Stat(path); err != nil { + path = filepath.Join(workingDir, "promise.yaml") + } + return readCRDFromPath(path) +} + +func readCRDFromPath(path string) apiextensionsv1.CustomResourceDefinition { + data, err := os.ReadFile(path) + Expect(err).NotTo(HaveOccurred()) + crd := apiextensionsv1.CustomResourceDefinition{} + Expect(yaml.Unmarshal(data, &crd)).To(Succeed()) + return crd +} From bf26830a15f7d3f1c1c35c6a3bdb4ac38c9a6cab Mon Sep 17 00:00:00 2001 From: Jake Date: Wed, 31 Dec 2025 14:36:07 +0000 Subject: [PATCH 11/17] use private repo in test --- test/init_tf_module_sources_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/init_tf_module_sources_test.go b/test/init_tf_module_sources_test.go index d4d437e..177e956 100644 --- a/test/init_tf_module_sources_test.go +++ b/test/init_tf_module_sources_test.go @@ -84,7 +84,7 @@ var _ = Describe("InitTerraformPromise source integration", func() { Entry("private git repo placeholder with subdir (mono-repo style)", moduleTestCase{ name: "git subdir", - moduleSource: "git::https://github.com/terraform-aws-modules/terraform-aws-vpc.git//modules/vpc-endpoints?ref=v5.7.0", + moduleSource: "git::https://github.com/syntasso/kratix-cli-private-tf-module-test-fixture.git//modules/vpc-endpoints?ref=v5.7.0", expectedAPIPath: vpcSubdirAPI, }, ), From 81a3251d7ce82bf1e38a9bc74f62e180da8418d0 Mon Sep 17 00:00:00 2001 From: Jake Date: Wed, 31 Dec 2025 15:10:50 +0000 Subject: [PATCH 12/17] setup deploy key before running tests --- .github/workflows/tests.yaml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index ba3723f..cfc9605 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -21,6 +21,14 @@ jobs: check-latest: true - name: Install Terraform CLI uses: hashicorp/setup-terraform@v3 + - name: Setup SSH Agent + uses: webfactory/ssh-agent@v0.9.0 + with: + ssh-private-key: ${{ secrets.SYNTASSO_KRATIX_CLI_PRIVATE_TF_MODULE_TEST_FIXTURE_REPO_DEPLOY_KEY }} + - name: Setup SSH + run: | + mkdir -p ~/.ssh + ssh-keyscan github.com >> ~/.ssh/known_hosts - name: Run make test run: make test - name: Run govulncheck @@ -55,4 +63,4 @@ jobs: release-please \ --token=$TOKEN \ --repo-url=syntasso/kratix-cli \ - release-pr \ No newline at end of file + release-pr From eaa6f0d1bcf638c78d64e350e42efdaccc12978c Mon Sep 17 00:00:00 2001 From: Jake Date: Wed, 31 Dec 2025 15:23:04 +0000 Subject: [PATCH 13/17] delete unused files, refactor tests, use ssh for sys test --- internal/terraform_module.go | 3 + internal/terraform_module_test.go | 2 +- nested-registry-variables.tf | 81 - registry-variables.tf | 267 --- stages/terraform-module-promise/main.go | 2 +- .../vars/nested-registry-variables.tf | 81 - .../terraform/vars/registry-variables.tf | 317 ---- test/assets/terraform/vars/vpc-variables.tf | 1597 ----------------- test/init_tf_module_sources_test.go | 2 +- variables.tf | 1597 ----------------- 10 files changed, 6 insertions(+), 3943 deletions(-) delete mode 100644 nested-registry-variables.tf delete mode 100644 registry-variables.tf delete mode 100644 test/assets/terraform/vars/nested-registry-variables.tf delete mode 100644 test/assets/terraform/vars/registry-variables.tf delete mode 100644 test/assets/terraform/vars/vpc-variables.tf delete mode 100644 variables.tf diff --git a/internal/terraform_module.go b/internal/terraform_module.go index 866dabe..bb5ef8c 100644 --- a/internal/terraform_module.go +++ b/internal/terraform_module.go @@ -110,14 +110,17 @@ func resolveModuleDir(workDir string) (string, error) { } func IsTerraformRegistrySource(moduleSource string) bool { + // Local filepaths if strings.HasPrefix(moduleSource, "./") || strings.HasPrefix(moduleSource, "../") || strings.HasPrefix(moduleSource, "/") { return false } + // URLs and other schemes if strings.Contains(moduleSource, "://") || strings.Contains(moduleSource, "::") { return false } + // Otherwise assume it's a registry source if it has at least two slashes return strings.Count(moduleSource, "/") >= 2 } diff --git a/internal/terraform_module_test.go b/internal/terraform_module_test.go index 916999a..7d1a836 100644 --- a/internal/terraform_module_test.go +++ b/internal/terraform_module_test.go @@ -246,7 +246,7 @@ var _ = Describe("IsTerraformRegistrySource", func() { Expect(internal.IsTerraformRegistrySource(source)).To(Equal(expected)) }, Entry("registry path", "namespace/name/provider", true), - Entry("nested registry path", "foo/bar/baz", true), + Entry("nested registry path", "foo/bar/baz//bob/banana", true), Entry("git URL", "git::https://github.com/org/repo.git?ref=v1.0.0", false), Entry("local path", "./modules/vpc", false), Entry("absolute path", "/tmp/module", false), diff --git a/nested-registry-variables.tf b/nested-registry-variables.tf deleted file mode 100644 index 30a747a..0000000 --- a/nested-registry-variables.tf +++ /dev/null @@ -1,81 +0,0 @@ -variable "create" { - description = "Determines whether resources will be created" - type = bool - default = true -} - -variable "vpc_id" { - description = "The ID of the VPC in which the endpoint will be used" - type = string - default = null -} - -variable "endpoints" { - description = "A map of interface and/or gateway endpoints containing their properties and configurations" - type = any - default = {} -} - -variable "security_group_ids" { - description = "Default security group IDs to associate with the VPC endpoints" - type = list(string) - default = [] -} - -variable "subnet_ids" { - description = "Default subnets IDs to associate with the VPC endpoints" - type = list(string) - default = [] -} - -variable "tags" { - description = "A map of tags to use on all resources" - type = map(string) - default = {} -} - -variable "timeouts" { - description = "Define maximum timeout for creating, updating, and deleting VPC endpoint resources" - type = map(string) - default = {} -} - -################################################################################ -# Security Group -################################################################################ - -variable "create_security_group" { - description = "Determines if a security group is created" - type = bool - default = false -} - -variable "security_group_name" { - description = "Name to use on security group created. Conflicts with `security_group_name_prefix`" - type = string - default = null -} - -variable "security_group_name_prefix" { - description = "Name prefix to use on security group created. Conflicts with `security_group_name`" - type = string - default = null -} - -variable "security_group_description" { - description = "Description of the security group created" - type = string - default = null -} - -variable "security_group_rules" { - description = "Security group rules to add to the security group created" - type = any - default = {} -} - -variable "security_group_tags" { - description = "A map of additional tags to add to the security group created" - type = map(string) - default = {} -} diff --git a/registry-variables.tf b/registry-variables.tf deleted file mode 100644 index 9a77af7..0000000 --- a/registry-variables.tf +++ /dev/null @@ -1,267 +0,0 @@ -Optional Inputs -These variables have default values and don't have to be set to use this module. You may set these variables to override their default values. This module has no required variables. - -acceleration_status string -Description: (Optional) Sets the accelerate configuration of an existing bucket. Can be Enabled or Suspended. - -Default: null - -access_log_delivery_policy_source_accounts list(string) -Description: (Optional) List of AWS Account IDs should be allowed to deliver access logs to this bucket. - -Default: [] - -access_log_delivery_policy_source_buckets list(string) -Description: (Optional) List of S3 bucket ARNs which should be allowed to deliver access logs to this bucket. - -Default: [] - -acl string -Description: (Optional) The canned ACL to apply. Conflicts with `grant` - -Default: null - -allowed_kms_key_arn string -Description: The ARN of KMS key which should be allowed in PutObject - -Default: null - -analytics_configuration any -Description: Map containing bucket analytics configuration. - -Default: {} - -analytics_self_source_destination bool -Description: Whether or not the analytics source bucket is also the destination bucket. - -Default: false - -analytics_source_account_id string -Description: The analytics source account id. - -Default: null - -analytics_source_bucket_arn string -Description: The analytics source bucket ARN. - -Default: null - -attach_access_log_delivery_policy bool -Description: Controls if S3 bucket should have S3 access log delivery policy attached - -Default: false - -attach_analytics_destination_policy bool -Description: Controls if S3 bucket should have bucket analytics destination policy attached. - -Default: false - -attach_deny_incorrect_encryption_headers bool -Description: Controls if S3 bucket should deny incorrect encryption headers policy attached. - -Default: false - -attach_deny_incorrect_kms_key_sse bool -Description: Controls if S3 bucket policy should deny usage of incorrect KMS key SSE. - -Default: false - -attach_deny_insecure_transport_policy bool -Description: Controls if S3 bucket should have deny non-SSL transport policy attached - -Default: false - -attach_deny_unencrypted_object_uploads bool -Description: Controls if S3 bucket should deny unencrypted object uploads policy attached. - -Default: false - -attach_elb_log_delivery_policy bool -Description: Controls if S3 bucket should have ELB log delivery policy attached - -Default: false - -attach_inventory_destination_policy bool -Description: Controls if S3 bucket should have bucket inventory destination policy attached. - -Default: false - -attach_lb_log_delivery_policy bool -Description: Controls if S3 bucket should have ALB/NLB log delivery policy attached - -Default: false - -attach_policy bool -Description: Controls if S3 bucket should have bucket policy attached (set to `true` to use value of `policy` as bucket policy) - -Default: false - -attach_public_policy bool -Description: Controls if a user defined public bucket policy will be attached (set to `false` to allow upstream to apply defaults to the bucket) - -Default: true - -attach_require_latest_tls_policy bool -Description: Controls if S3 bucket should require the latest version of TLS - -Default: false - -block_public_acls bool -Description: Whether Amazon S3 should block public ACLs for this bucket. - -Default: true - -block_public_policy bool -Description: Whether Amazon S3 should block public bucket policies for this bucket. - -Default: true - -bucket string -Description: (Optional, Forces new resource) The name of the bucket. If omitted, Terraform will assign a random, unique name. - -Default: null - -bucket_prefix string -Description: (Optional, Forces new resource) Creates a unique bucket name beginning with the specified prefix. Conflicts with bucket. - -Default: null - -control_object_ownership bool -Description: Whether to manage S3 Bucket Ownership Controls on this bucket. - -Default: false - -cors_rule any -Description: List of maps containing rules for Cross-Origin Resource Sharing. - -Default: [] - -create_bucket bool -Description: Controls if S3 bucket should be created - -Default: true - -expected_bucket_owner string -Description: The account ID of the expected bucket owner - -Default: null - -force_destroy bool -Description: (Optional, Default:false ) A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. - -Default: false - -grant any -Description: An ACL policy grant. Conflicts with `acl` - -Default: [] - -ignore_public_acls bool -Description: Whether Amazon S3 should ignore public ACLs for this bucket. - -Default: true - -intelligent_tiering any -Description: Map containing intelligent tiering configuration. - -Default: {} - -inventory_configuration any -Description: Map containing S3 inventory configuration. - -Default: {} - -inventory_self_source_destination bool -Description: Whether or not the inventory source bucket is also the destination bucket. - -Default: false - -inventory_source_account_id string -Description: The inventory source account id. - -Default: null - -inventory_source_bucket_arn string -Description: The inventory source bucket ARN. - -Default: null - -lifecycle_rule any -Description: List of maps containing configuration of object lifecycle management. - -Default: [] - -logging any -Description: Map containing access bucket logging configuration. - -Default: {} - -metric_configuration any -Description: Map containing bucket metric configuration. - -Default: [] - -object_lock_configuration any -Description: Map containing S3 object locking configuration. - -Default: {} - -object_lock_enabled bool -Description: Whether S3 bucket should have an Object Lock configuration enabled. - -Default: false - -object_ownership string -Description: Object ownership. Valid values: BucketOwnerEnforced, BucketOwnerPreferred or ObjectWriter. 'BucketOwnerEnforced': ACLs are disabled, and the bucket owner automatically owns and has full control over every object in the bucket. 'BucketOwnerPreferred': Objects uploaded to the bucket change ownership to the bucket owner if the objects are uploaded with the bucket-owner-full-control canned ACL. 'ObjectWriter': The uploading account will own the object if the object is uploaded with the bucket-owner-full-control canned ACL. - -Default: "BucketOwnerEnforced" - -owner map(string) -Description: Bucket owner's display name and ID. Conflicts with `acl` - -Default: {} - -policy string -Description: (Optional) A valid bucket policy JSON document. Note that if the policy document is not specific enough (but still valid), Terraform may view the policy as constantly changing in a terraform plan. In this case, please make sure you use the verbose/specific version of the policy. For more information about building AWS IAM policy documents with Terraform, see the AWS IAM Policy Document Guide. - -Default: null - -putin_khuylo bool -Description: Do you agree that Putin doesn't respect Ukrainian sovereignty and territorial integrity? More info: https://en.wikipedia.org/wiki/Putin_khuylo! - -Default: true - -replication_configuration any -Description: Map containing cross-region replication configuration. - -Default: {} - -request_payer string -Description: (Optional) Specifies who should bear the cost of Amazon S3 data transfer. Can be either BucketOwner or Requester. By default, the owner of the S3 bucket would incur the costs of any data transfer. See Requester Pays Buckets developer guide for more information. - -Default: null - -restrict_public_buckets bool -Description: Whether Amazon S3 should restrict public bucket policies for this bucket. - -Default: true - -server_side_encryption_configuration any -Description: Map containing server-side encryption configuration. - -Default: {} - -tags map(string) -Description: (Optional) A mapping of tags to assign to the bucket. - -Default: {} - -versioning map(string) -Description: Map containing versioning configuration. - -Default: {} - -website any -Description: Map containing static web-site hosting or redirect configuration. - -Default: {} diff --git a/stages/terraform-module-promise/main.go b/stages/terraform-module-promise/main.go index b1cc393..800afec 100644 --- a/stages/terraform-module-promise/main.go +++ b/stages/terraform-module-promise/main.go @@ -56,7 +56,7 @@ func main() { }, } - if moduleRegistryVersion != "" && internal.IsTerraformRegistrySource(moduleSource) { + if moduleRegistryVersion != "" { module["module"][uniqueFileName]["version"] = moduleRegistryVersion } diff --git a/test/assets/terraform/vars/nested-registry-variables.tf b/test/assets/terraform/vars/nested-registry-variables.tf deleted file mode 100644 index 30a747a..0000000 --- a/test/assets/terraform/vars/nested-registry-variables.tf +++ /dev/null @@ -1,81 +0,0 @@ -variable "create" { - description = "Determines whether resources will be created" - type = bool - default = true -} - -variable "vpc_id" { - description = "The ID of the VPC in which the endpoint will be used" - type = string - default = null -} - -variable "endpoints" { - description = "A map of interface and/or gateway endpoints containing their properties and configurations" - type = any - default = {} -} - -variable "security_group_ids" { - description = "Default security group IDs to associate with the VPC endpoints" - type = list(string) - default = [] -} - -variable "subnet_ids" { - description = "Default subnets IDs to associate with the VPC endpoints" - type = list(string) - default = [] -} - -variable "tags" { - description = "A map of tags to use on all resources" - type = map(string) - default = {} -} - -variable "timeouts" { - description = "Define maximum timeout for creating, updating, and deleting VPC endpoint resources" - type = map(string) - default = {} -} - -################################################################################ -# Security Group -################################################################################ - -variable "create_security_group" { - description = "Determines if a security group is created" - type = bool - default = false -} - -variable "security_group_name" { - description = "Name to use on security group created. Conflicts with `security_group_name_prefix`" - type = string - default = null -} - -variable "security_group_name_prefix" { - description = "Name prefix to use on security group created. Conflicts with `security_group_name`" - type = string - default = null -} - -variable "security_group_description" { - description = "Description of the security group created" - type = string - default = null -} - -variable "security_group_rules" { - description = "Security group rules to add to the security group created" - type = any - default = {} -} - -variable "security_group_tags" { - description = "A map of additional tags to add to the security group created" - type = map(string) - default = {} -} diff --git a/test/assets/terraform/vars/registry-variables.tf b/test/assets/terraform/vars/registry-variables.tf deleted file mode 100644 index 95e0cb4..0000000 --- a/test/assets/terraform/vars/registry-variables.tf +++ /dev/null @@ -1,317 +0,0 @@ -variable "create_bucket" { - description = "Controls if S3 bucket should be created" - type = bool - default = true -} - -variable "attach_elb_log_delivery_policy" { - description = "Controls if S3 bucket should have ELB log delivery policy attached" - type = bool - default = false -} - -variable "attach_lb_log_delivery_policy" { - description = "Controls if S3 bucket should have ALB/NLB log delivery policy attached" - type = bool - default = false -} - -variable "attach_access_log_delivery_policy" { - description = "Controls if S3 bucket should have S3 access log delivery policy attached" - type = bool - default = false -} - -variable "attach_deny_insecure_transport_policy" { - description = "Controls if S3 bucket should have deny non-SSL transport policy attached" - type = bool - default = false -} - -variable "attach_require_latest_tls_policy" { - description = "Controls if S3 bucket should require the latest version of TLS" - type = bool - default = false -} - -variable "attach_policy" { - description = "Controls if S3 bucket should have bucket policy attached (set to `true` to use value of `policy` as bucket policy)" - type = bool - default = false -} - -variable "attach_public_policy" { - description = "Controls if a user defined public bucket policy will be attached (set to `false` to allow upstream to apply defaults to the bucket)" - type = bool - default = true -} - -variable "attach_inventory_destination_policy" { - description = "Controls if S3 bucket should have bucket inventory destination policy attached." - type = bool - default = false -} - -variable "attach_analytics_destination_policy" { - description = "Controls if S3 bucket should have bucket analytics destination policy attached." - type = bool - default = false -} - -variable "attach_deny_incorrect_encryption_headers" { - description = "Controls if S3 bucket should deny incorrect encryption headers policy attached." - type = bool - default = false -} - -variable "attach_deny_incorrect_kms_key_sse" { - description = "Controls if S3 bucket policy should deny usage of incorrect KMS key SSE." - type = bool - default = false -} - -variable "allowed_kms_key_arn" { - description = "The ARN of KMS key which should be allowed in PutObject" - type = string - default = null -} - -variable "attach_deny_unencrypted_object_uploads" { - description = "Controls if S3 bucket should deny unencrypted object uploads policy attached." - type = bool - default = false -} - -variable "bucket" { - description = "(Optional, Forces new resource) The name of the bucket. If omitted, Terraform will assign a random, unique name." - type = string - default = null -} - -variable "bucket_prefix" { - description = "(Optional, Forces new resource) Creates a unique bucket name beginning with the specified prefix. Conflicts with bucket." - type = string - default = null -} - -variable "acl" { - description = "(Optional) The canned ACL to apply. Conflicts with `grant`" - type = string - default = null -} - -variable "policy" { - description = "(Optional) A valid bucket policy JSON document. Note that if the policy document is not specific enough (but still valid), Terraform may view the policy as constantly changing in a terraform plan. In this case, please make sure you use the verbose/specific version of the policy. For more information about building AWS IAM policy documents with Terraform, see the AWS IAM Policy Document Guide." - type = string - default = null -} - -variable "tags" { - description = "(Optional) A mapping of tags to assign to the bucket." - type = map(string) - default = {} -} - -variable "force_destroy" { - description = "(Optional, Default:false ) A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable." - type = bool - default = false -} - -variable "acceleration_status" { - description = "(Optional) Sets the accelerate configuration of an existing bucket. Can be Enabled or Suspended." - type = string - default = null -} - -variable "request_payer" { - description = "(Optional) Specifies who should bear the cost of Amazon S3 data transfer. Can be either BucketOwner or Requester. By default, the owner of the S3 bucket would incur the costs of any data transfer. See Requester Pays Buckets developer guide for more information." - type = string - default = null -} - -variable "website" { - description = "Map containing static web-site hosting or redirect configuration." - type = any # map(string) - default = {} -} - -variable "cors_rule" { - description = "List of maps containing rules for Cross-Origin Resource Sharing." - type = any - default = [] -} - -variable "versioning" { - description = "Map containing versioning configuration." - type = map(string) - default = {} -} - -variable "logging" { - description = "Map containing access bucket logging configuration." - type = any - default = {} -} - -variable "access_log_delivery_policy_source_buckets" { - description = "(Optional) List of S3 bucket ARNs which should be allowed to deliver access logs to this bucket." - type = list(string) - default = [] -} - -variable "access_log_delivery_policy_source_accounts" { - description = "(Optional) List of AWS Account IDs should be allowed to deliver access logs to this bucket." - type = list(string) - default = [] -} - -variable "grant" { - description = "An ACL policy grant. Conflicts with `acl`" - type = any - default = [] -} - -variable "owner" { - description = "Bucket owner's display name and ID. Conflicts with `acl`" - type = map(string) - default = {} -} - -variable "expected_bucket_owner" { - description = "The account ID of the expected bucket owner" - type = string - default = null -} - -variable "lifecycle_rule" { - description = "List of maps containing configuration of object lifecycle management." - type = any - default = [] -} - -variable "replication_configuration" { - description = "Map containing cross-region replication configuration." - type = any - default = {} -} - -variable "server_side_encryption_configuration" { - description = "Map containing server-side encryption configuration." - type = any - default = {} -} - -variable "intelligent_tiering" { - description = "Map containing intelligent tiering configuration." - type = any - default = {} -} - -variable "object_lock_configuration" { - description = "Map containing S3 object locking configuration." - type = any - default = {} -} - -variable "metric_configuration" { - description = "Map containing bucket metric configuration." - type = any - default = [] -} - -variable "inventory_configuration" { - description = "Map containing S3 inventory configuration." - type = any - default = {} -} - -variable "inventory_source_account_id" { - description = "The inventory source account id." - type = string - default = null -} - -variable "inventory_source_bucket_arn" { - description = "The inventory source bucket ARN." - type = string - default = null -} - -variable "inventory_self_source_destination" { - description = "Whether or not the inventory source bucket is also the destination bucket." - type = bool - default = false -} - -variable "analytics_configuration" { - description = "Map containing bucket analytics configuration." - type = any - default = {} -} - -variable "analytics_source_account_id" { - description = "The analytics source account id." - type = string - default = null -} - -variable "analytics_source_bucket_arn" { - description = "The analytics source bucket ARN." - type = string - default = null -} - -variable "analytics_self_source_destination" { - description = "Whether or not the analytics source bucket is also the destination bucket." - type = bool - default = false -} - -variable "object_lock_enabled" { - description = "Whether S3 bucket should have an Object Lock configuration enabled." - type = bool - default = false -} - -variable "block_public_acls" { - description = "Whether Amazon S3 should block public ACLs for this bucket." - type = bool - default = true -} - -variable "block_public_policy" { - description = "Whether Amazon S3 should block public bucket policies for this bucket." - type = bool - default = true -} - -variable "ignore_public_acls" { - description = "Whether Amazon S3 should ignore public ACLs for this bucket." - type = bool - default = true -} - -variable "restrict_public_buckets" { - description = "Whether Amazon S3 should restrict public bucket policies for this bucket." - type = bool - default = true -} - -variable "control_object_ownership" { - description = "Whether to manage S3 Bucket Ownership Controls on this bucket." - type = bool - default = false -} - -variable "object_ownership" { - description = "Object ownership. Valid values: BucketOwnerEnforced, BucketOwnerPreferred or ObjectWriter. 'BucketOwnerEnforced': ACLs are disabled, and the bucket owner automatically owns and has full control over every object in the bucket. 'BucketOwnerPreferred': Objects uploaded to the bucket change ownership to the bucket owner if the objects are uploaded with the bucket-owner-full-control canned ACL. 'ObjectWriter': The uploading account will own the object if the object is uploaded with the bucket-owner-full-control canned ACL." - type = string - default = "BucketOwnerEnforced" -} - -variable "putin_khuylo" { - description = "Do you agree that Putin doesn't respect Ukrainian sovereignty and territorial integrity? More info: https://en.wikipedia.org/wiki/Putin_khuylo!" - type = bool - default = true -} diff --git a/test/assets/terraform/vars/vpc-variables.tf b/test/assets/terraform/vars/vpc-variables.tf deleted file mode 100644 index ce81d68..0000000 --- a/test/assets/terraform/vars/vpc-variables.tf +++ /dev/null @@ -1,1597 +0,0 @@ -################################################################################ -# VPC -################################################################################ - -variable "create_vpc" { - description = "Controls if VPC should be created (it affects almost all resources)" - type = bool - default = true -} - -variable "name" { - description = "Name to be used on all the resources as identifier" - type = string - default = "" -} - -variable "cidr" { - description = "(Optional) The IPv4 CIDR block for the VPC. CIDR can be explicitly set or it can be derived from IPAM using `ipv4_netmask_length` & `ipv4_ipam_pool_id`" - type = string - default = "10.0.0.0/16" -} - -variable "secondary_cidr_blocks" { - description = "List of secondary CIDR blocks to associate with the VPC to extend the IP Address pool" - type = list(string) - default = [] -} - -variable "instance_tenancy" { - description = "A tenancy option for instances launched into the VPC" - type = string - default = "default" -} - -variable "azs" { - description = "A list of availability zones names or ids in the region" - type = list(string) - default = [] -} - -variable "enable_dns_hostnames" { - description = "Should be true to enable DNS hostnames in the VPC" - type = bool - default = true -} - -variable "enable_dns_support" { - description = "Should be true to enable DNS support in the VPC" - type = bool - default = true -} - -variable "enable_network_address_usage_metrics" { - description = "Determines whether network address usage metrics are enabled for the VPC" - type = bool - default = null -} - -variable "use_ipam_pool" { - description = "Determines whether IPAM pool is used for CIDR allocation" - type = bool - default = false -} - -variable "ipv4_ipam_pool_id" { - description = "(Optional) The ID of an IPv4 IPAM pool you want to use for allocating this VPC's CIDR" - type = string - default = null -} - -variable "ipv4_netmask_length" { - description = "(Optional) The netmask length of the IPv4 CIDR you want to allocate to this VPC. Requires specifying a ipv4_ipam_pool_id" - type = number - default = null -} - -variable "enable_ipv6" { - description = "Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block" - type = bool - default = false -} - -variable "ipv6_cidr" { - description = "(Optional) IPv6 CIDR block to request from an IPAM Pool. Can be set explicitly or derived from IPAM using `ipv6_netmask_length`" - type = string - default = null -} - -variable "ipv6_ipam_pool_id" { - description = "(Optional) IPAM Pool ID for a IPv6 pool. Conflicts with `assign_generated_ipv6_cidr_block`" - type = string - default = null -} - -variable "ipv6_netmask_length" { - description = "(Optional) Netmask length to request from IPAM Pool. Conflicts with `ipv6_cidr_block`. This can be omitted if IPAM pool as a `allocation_default_netmask_length` set. Valid values: `56`" - type = number - default = null -} - -variable "ipv6_cidr_block_network_border_group" { - description = "By default when an IPv6 CIDR is assigned to a VPC a default ipv6_cidr_block_network_border_group will be set to the region of the VPC. This can be changed to restrict advertisement of public addresses to specific Network Border Groups such as LocalZones" - type = string - default = null -} - -variable "vpc_tags" { - description = "Additional tags for the VPC" - type = map(string) - default = {} -} - -variable "tags" { - description = "A map of tags to add to all resources" - type = map(string) - default = {} -} - -################################################################################ -# DHCP Options Set -################################################################################ - -variable "enable_dhcp_options" { - description = "Should be true if you want to specify a DHCP options set with a custom domain name, DNS servers, NTP servers, netbios servers, and/or netbios server type" - type = bool - default = false -} - -variable "dhcp_options_domain_name" { - description = "Specifies DNS name for DHCP options set (requires enable_dhcp_options set to true)" - type = string - default = "" -} - -variable "dhcp_options_domain_name_servers" { - description = "Specify a list of DNS server addresses for DHCP options set, default to AWS provided (requires enable_dhcp_options set to true)" - type = list(string) - default = ["AmazonProvidedDNS"] -} - -variable "dhcp_options_ntp_servers" { - description = "Specify a list of NTP servers for DHCP options set (requires enable_dhcp_options set to true)" - type = list(string) - default = [] -} - -variable "dhcp_options_netbios_name_servers" { - description = "Specify a list of netbios servers for DHCP options set (requires enable_dhcp_options set to true)" - type = list(string) - default = [] -} - -variable "dhcp_options_netbios_node_type" { - description = "Specify netbios node_type for DHCP options set (requires enable_dhcp_options set to true)" - type = string - default = "" -} - -variable "dhcp_options_tags" { - description = "Additional tags for the DHCP option set (requires enable_dhcp_options set to true)" - type = map(string) - default = {} -} - -################################################################################ -# Publiс Subnets -################################################################################ - -variable "public_subnets" { - description = "A list of public subnets inside the VPC" - type = list(string) - default = [] -} - -variable "public_subnet_assign_ipv6_address_on_creation" { - description = "Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false`" - type = bool - default = false -} - -variable "public_subnet_enable_dns64" { - description = "Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true`" - type = bool - default = true -} - -variable "public_subnet_enable_resource_name_dns_aaaa_record_on_launch" { - description = "Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true`" - type = bool - default = true -} - -variable "public_subnet_enable_resource_name_dns_a_record_on_launch" { - description = "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false`" - type = bool - default = false -} - -variable "public_subnet_ipv6_prefixes" { - description = "Assigns IPv6 public subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list" - type = list(string) - default = [] -} - -variable "public_subnet_ipv6_native" { - description = "Indicates whether to create an IPv6-only subnet. Default: `false`" - type = bool - default = false -} - -variable "map_public_ip_on_launch" { - description = "Specify true to indicate that instances launched into the subnet should be assigned a public IP address. Default is `false`" - type = bool - default = false -} - -variable "public_subnet_private_dns_hostname_type_on_launch" { - description = "The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name`" - type = string - default = null -} - -variable "public_subnet_names" { - description = "Explicit values to use in the Name tag on public subnets. If empty, Name tags are generated" - type = list(string) - default = [] -} - -variable "public_subnet_suffix" { - description = "Suffix to append to public subnets name" - type = string - default = "public" -} - -variable "public_subnet_tags" { - description = "Additional tags for the public subnets" - type = map(string) - default = {} -} - -variable "public_subnet_tags_per_az" { - description = "Additional tags for the public subnets where the primary key is the AZ" - type = map(map(string)) - default = {} -} - -variable "public_route_table_tags" { - description = "Additional tags for the public route tables" - type = map(string) - default = {} -} - -################################################################################ -# Public Network ACLs -################################################################################ - -variable "public_dedicated_network_acl" { - description = "Whether to use dedicated network ACL (not default) and custom rules for public subnets" - type = bool - default = false -} - -variable "public_inbound_acl_rules" { - description = "Public subnets inbound network ACLs" - type = list(map(string)) - default = [ - { - rule_number = 100 - rule_action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_block = "0.0.0.0/0" - }, - ] -} - -variable "public_outbound_acl_rules" { - description = "Public subnets outbound network ACLs" - type = list(map(string)) - default = [ - { - rule_number = 100 - rule_action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_block = "0.0.0.0/0" - }, - ] -} - -variable "public_acl_tags" { - description = "Additional tags for the public subnets network ACL" - type = map(string) - default = {} -} - -################################################################################ -# Private Subnets -################################################################################ - -variable "private_subnets" { - description = "A list of private subnets inside the VPC" - type = list(string) - default = [] -} - -variable "private_subnet_assign_ipv6_address_on_creation" { - description = "Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false`" - type = bool - default = false -} - -variable "private_subnet_enable_dns64" { - description = "Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true`" - type = bool - default = true -} - -variable "private_subnet_enable_resource_name_dns_aaaa_record_on_launch" { - description = "Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true`" - type = bool - default = true -} - -variable "private_subnet_enable_resource_name_dns_a_record_on_launch" { - description = "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false`" - type = bool - default = false -} - -variable "private_subnet_ipv6_prefixes" { - description = "Assigns IPv6 private subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list" - type = list(string) - default = [] -} - -variable "private_subnet_ipv6_native" { - description = "Indicates whether to create an IPv6-only subnet. Default: `false`" - type = bool - default = false -} - -variable "private_subnet_private_dns_hostname_type_on_launch" { - description = "The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name`" - type = string - default = null -} - -variable "private_subnet_names" { - description = "Explicit values to use in the Name tag on private subnets. If empty, Name tags are generated" - type = list(string) - default = [] -} - -variable "private_subnet_suffix" { - description = "Suffix to append to private subnets name" - type = string - default = "private" -} - -variable "private_subnet_tags" { - description = "Additional tags for the private subnets" - type = map(string) - default = {} -} - -variable "private_subnet_tags_per_az" { - description = "Additional tags for the private subnets where the primary key is the AZ" - type = map(map(string)) - default = {} -} - -variable "private_route_table_tags" { - description = "Additional tags for the private route tables" - type = map(string) - default = {} -} - -################################################################################ -# Private Network ACLs -################################################################################ - -variable "private_dedicated_network_acl" { - description = "Whether to use dedicated network ACL (not default) and custom rules for private subnets" - type = bool - default = false -} - -variable "private_inbound_acl_rules" { - description = "Private subnets inbound network ACLs" - type = list(map(string)) - default = [ - { - rule_number = 100 - rule_action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_block = "0.0.0.0/0" - }, - ] -} - -variable "private_outbound_acl_rules" { - description = "Private subnets outbound network ACLs" - type = list(map(string)) - default = [ - { - rule_number = 100 - rule_action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_block = "0.0.0.0/0" - }, - ] -} - -variable "private_acl_tags" { - description = "Additional tags for the private subnets network ACL" - type = map(string) - default = {} -} - -################################################################################ -# Database Subnets -################################################################################ - -variable "database_subnets" { - description = "A list of database subnets inside the VPC" - type = list(string) - default = [] -} - -variable "database_subnet_assign_ipv6_address_on_creation" { - description = "Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false`" - type = bool - default = false -} - -variable "database_subnet_enable_dns64" { - description = "Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true`" - type = bool - default = true -} - -variable "database_subnet_enable_resource_name_dns_aaaa_record_on_launch" { - description = "Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true`" - type = bool - default = true -} - -variable "database_subnet_enable_resource_name_dns_a_record_on_launch" { - description = "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false`" - type = bool - default = false -} - -variable "database_subnet_ipv6_prefixes" { - description = "Assigns IPv6 database subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list" - type = list(string) - default = [] -} - -variable "database_subnet_ipv6_native" { - description = "Indicates whether to create an IPv6-only subnet. Default: `false`" - type = bool - default = false -} - -variable "database_subnet_private_dns_hostname_type_on_launch" { - description = "The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name`" - type = string - default = null -} - -variable "database_subnet_names" { - description = "Explicit values to use in the Name tag on database subnets. If empty, Name tags are generated" - type = list(string) - default = [] -} - -variable "database_subnet_suffix" { - description = "Suffix to append to database subnets name" - type = string - default = "db" -} - -variable "create_database_subnet_route_table" { - description = "Controls if separate route table for database should be created" - type = bool - default = false -} - -variable "create_database_internet_gateway_route" { - description = "Controls if an internet gateway route for public database access should be created" - type = bool - default = false -} - -variable "create_database_nat_gateway_route" { - description = "Controls if a nat gateway route should be created to give internet access to the database subnets" - type = bool - default = false -} - -variable "database_route_table_tags" { - description = "Additional tags for the database route tables" - type = map(string) - default = {} -} - -variable "database_subnet_tags" { - description = "Additional tags for the database subnets" - type = map(string) - default = {} -} - -variable "create_database_subnet_group" { - description = "Controls if database subnet group should be created (n.b. database_subnets must also be set)" - type = bool - default = true -} - -variable "database_subnet_group_name" { - description = "Name of database subnet group" - type = string - default = null -} - -variable "database_subnet_group_tags" { - description = "Additional tags for the database subnet group" - type = map(string) - default = {} -} - -################################################################################ -# Database Network ACLs -################################################################################ - -variable "database_dedicated_network_acl" { - description = "Whether to use dedicated network ACL (not default) and custom rules for database subnets" - type = bool - default = false -} - -variable "database_inbound_acl_rules" { - description = "Database subnets inbound network ACL rules" - type = list(map(string)) - default = [ - { - rule_number = 100 - rule_action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_block = "0.0.0.0/0" - }, - ] -} - -variable "database_outbound_acl_rules" { - description = "Database subnets outbound network ACL rules" - type = list(map(string)) - default = [ - { - rule_number = 100 - rule_action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_block = "0.0.0.0/0" - }, - ] -} - -variable "database_acl_tags" { - description = "Additional tags for the database subnets network ACL" - type = map(string) - default = {} -} - -################################################################################ -# Redshift Subnets -################################################################################ - -variable "redshift_subnets" { - description = "A list of redshift subnets inside the VPC" - type = list(string) - default = [] -} - -variable "redshift_subnet_assign_ipv6_address_on_creation" { - description = "Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false`" - type = bool - default = false -} - -variable "redshift_subnet_enable_dns64" { - description = "Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true`" - type = bool - default = true -} - -variable "redshift_subnet_enable_resource_name_dns_aaaa_record_on_launch" { - description = "Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true`" - type = bool - default = true -} - -variable "redshift_subnet_enable_resource_name_dns_a_record_on_launch" { - description = "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false`" - type = bool - default = false -} - -variable "redshift_subnet_ipv6_prefixes" { - description = "Assigns IPv6 redshift subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list" - type = list(string) - default = [] -} - -variable "redshift_subnet_ipv6_native" { - description = "Indicates whether to create an IPv6-only subnet. Default: `false`" - type = bool - default = false -} - -variable "redshift_subnet_private_dns_hostname_type_on_launch" { - description = "The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name`" - type = string - default = null -} - -variable "redshift_subnet_names" { - description = "Explicit values to use in the Name tag on redshift subnets. If empty, Name tags are generated" - type = list(string) - default = [] -} - -variable "redshift_subnet_suffix" { - description = "Suffix to append to redshift subnets name" - type = string - default = "redshift" -} - -variable "enable_public_redshift" { - description = "Controls if redshift should have public routing table" - type = bool - default = false -} - -variable "create_redshift_subnet_route_table" { - description = "Controls if separate route table for redshift should be created" - type = bool - default = false -} - -variable "redshift_route_table_tags" { - description = "Additional tags for the redshift route tables" - type = map(string) - default = {} -} - -variable "redshift_subnet_tags" { - description = "Additional tags for the redshift subnets" - type = map(string) - default = {} -} - -variable "create_redshift_subnet_group" { - description = "Controls if redshift subnet group should be created" - type = bool - default = true -} - -variable "redshift_subnet_group_name" { - description = "Name of redshift subnet group" - type = string - default = null -} - -variable "redshift_subnet_group_tags" { - description = "Additional tags for the redshift subnet group" - type = map(string) - default = {} -} - -################################################################################ -# Redshift Network ACLs -################################################################################ - -variable "redshift_dedicated_network_acl" { - description = "Whether to use dedicated network ACL (not default) and custom rules for redshift subnets" - type = bool - default = false -} - -variable "redshift_inbound_acl_rules" { - description = "Redshift subnets inbound network ACL rules" - type = list(map(string)) - default = [ - { - rule_number = 100 - rule_action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_block = "0.0.0.0/0" - }, - ] -} - -variable "redshift_outbound_acl_rules" { - description = "Redshift subnets outbound network ACL rules" - type = list(map(string)) - default = [ - { - rule_number = 100 - rule_action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_block = "0.0.0.0/0" - }, - ] -} - -variable "redshift_acl_tags" { - description = "Additional tags for the redshift subnets network ACL" - type = map(string) - default = {} -} - -################################################################################ -# Elasticache Subnets -################################################################################ - -variable "elasticache_subnets" { - description = "A list of elasticache subnets inside the VPC" - type = list(string) - default = [] -} - -variable "elasticache_subnet_assign_ipv6_address_on_creation" { - description = "Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false`" - type = bool - default = false -} - -variable "elasticache_subnet_enable_dns64" { - description = "Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true`" - type = bool - default = true -} - -variable "elasticache_subnet_enable_resource_name_dns_aaaa_record_on_launch" { - description = "Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true`" - type = bool - default = true -} - -variable "elasticache_subnet_enable_resource_name_dns_a_record_on_launch" { - description = "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false`" - type = bool - default = false -} - -variable "elasticache_subnet_ipv6_prefixes" { - description = "Assigns IPv6 elasticache subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list" - type = list(string) - default = [] -} - -variable "elasticache_subnet_ipv6_native" { - description = "Indicates whether to create an IPv6-only subnet. Default: `false`" - type = bool - default = false -} - -variable "elasticache_subnet_private_dns_hostname_type_on_launch" { - description = "The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name`" - type = string - default = null -} - -variable "elasticache_subnet_names" { - description = "Explicit values to use in the Name tag on elasticache subnets. If empty, Name tags are generated" - type = list(string) - default = [] -} - -variable "elasticache_subnet_suffix" { - description = "Suffix to append to elasticache subnets name" - type = string - default = "elasticache" -} - -variable "elasticache_subnet_tags" { - description = "Additional tags for the elasticache subnets" - type = map(string) - default = {} -} - -variable "create_elasticache_subnet_route_table" { - description = "Controls if separate route table for elasticache should be created" - type = bool - default = false -} - -variable "elasticache_route_table_tags" { - description = "Additional tags for the elasticache route tables" - type = map(string) - default = {} -} - -variable "create_elasticache_subnet_group" { - description = "Controls if elasticache subnet group should be created" - type = bool - default = true -} - -variable "elasticache_subnet_group_name" { - description = "Name of elasticache subnet group" - type = string - default = null -} - -variable "elasticache_subnet_group_tags" { - description = "Additional tags for the elasticache subnet group" - type = map(string) - default = {} -} - -################################################################################ -# Elasticache Network ACLs -################################################################################ - -variable "elasticache_dedicated_network_acl" { - description = "Whether to use dedicated network ACL (not default) and custom rules for elasticache subnets" - type = bool - default = false -} - -variable "elasticache_inbound_acl_rules" { - description = "Elasticache subnets inbound network ACL rules" - type = list(map(string)) - default = [ - { - rule_number = 100 - rule_action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_block = "0.0.0.0/0" - }, - ] -} - -variable "elasticache_outbound_acl_rules" { - description = "Elasticache subnets outbound network ACL rules" - type = list(map(string)) - default = [ - { - rule_number = 100 - rule_action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_block = "0.0.0.0/0" - }, - ] -} - -variable "elasticache_acl_tags" { - description = "Additional tags for the elasticache subnets network ACL" - type = map(string) - default = {} -} - -################################################################################ -# Intra Subnets -################################################################################ - -variable "intra_subnets" { - description = "A list of intra subnets inside the VPC" - type = list(string) - default = [] -} - -variable "intra_subnet_assign_ipv6_address_on_creation" { - description = "Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false`" - type = bool - default = false -} - -variable "intra_subnet_enable_dns64" { - description = "Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true`" - type = bool - default = true -} - -variable "intra_subnet_enable_resource_name_dns_aaaa_record_on_launch" { - description = "Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true`" - type = bool - default = true -} - -variable "intra_subnet_enable_resource_name_dns_a_record_on_launch" { - description = "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false`" - type = bool - default = false -} - -variable "intra_subnet_ipv6_prefixes" { - description = "Assigns IPv6 intra subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list" - type = list(string) - default = [] -} - -variable "intra_subnet_ipv6_native" { - description = "Indicates whether to create an IPv6-only subnet. Default: `false`" - type = bool - default = false -} - -variable "intra_subnet_private_dns_hostname_type_on_launch" { - description = "The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name`" - type = string - default = null -} - -variable "intra_subnet_names" { - description = "Explicit values to use in the Name tag on intra subnets. If empty, Name tags are generated" - type = list(string) - default = [] -} - -variable "intra_subnet_suffix" { - description = "Suffix to append to intra subnets name" - type = string - default = "intra" -} - -variable "intra_subnet_tags" { - description = "Additional tags for the intra subnets" - type = map(string) - default = {} -} - -variable "intra_route_table_tags" { - description = "Additional tags for the intra route tables" - type = map(string) - default = {} -} - -################################################################################ -# Intra Network ACLs -################################################################################ - -variable "intra_dedicated_network_acl" { - description = "Whether to use dedicated network ACL (not default) and custom rules for intra subnets" - type = bool - default = false -} - -variable "intra_inbound_acl_rules" { - description = "Intra subnets inbound network ACLs" - type = list(map(string)) - default = [ - { - rule_number = 100 - rule_action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_block = "0.0.0.0/0" - }, - ] -} - -variable "intra_outbound_acl_rules" { - description = "Intra subnets outbound network ACLs" - type = list(map(string)) - default = [ - { - rule_number = 100 - rule_action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_block = "0.0.0.0/0" - }, - ] -} - -variable "intra_acl_tags" { - description = "Additional tags for the intra subnets network ACL" - type = map(string) - default = {} -} - -################################################################################ -# Outpost Subnets -################################################################################ - -variable "outpost_subnets" { - description = "A list of outpost subnets inside the VPC" - type = list(string) - default = [] -} - -variable "outpost_subnet_assign_ipv6_address_on_creation" { - description = "Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false`" - type = bool - default = false -} - -variable "outpost_az" { - description = "AZ where Outpost is anchored" - type = string - default = null -} - -variable "customer_owned_ipv4_pool" { - description = "The customer owned IPv4 address pool. Typically used with the `map_customer_owned_ip_on_launch` argument. The `outpost_arn` argument must be specified when configured" - type = string - default = null -} - -variable "outpost_subnet_enable_dns64" { - description = "Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true`" - type = bool - default = true -} - -variable "outpost_subnet_enable_resource_name_dns_aaaa_record_on_launch" { - description = "Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true`" - type = bool - default = true -} - -variable "outpost_subnet_enable_resource_name_dns_a_record_on_launch" { - description = "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false`" - type = bool - default = false -} - -variable "outpost_subnet_ipv6_prefixes" { - description = "Assigns IPv6 outpost subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list" - type = list(string) - default = [] -} - -variable "outpost_subnet_ipv6_native" { - description = "Indicates whether to create an IPv6-only subnet. Default: `false`" - type = bool - default = false -} - -variable "map_customer_owned_ip_on_launch" { - description = "Specify true to indicate that network interfaces created in the subnet should be assigned a customer owned IP address. The `customer_owned_ipv4_pool` and `outpost_arn` arguments must be specified when set to `true`. Default is `false`" - type = bool - default = false -} - -variable "outpost_arn" { - description = "ARN of Outpost you want to create a subnet in" - type = string - default = null -} - -variable "outpost_subnet_private_dns_hostname_type_on_launch" { - description = "The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name`" - type = string - default = null -} - -variable "outpost_subnet_names" { - description = "Explicit values to use in the Name tag on outpost subnets. If empty, Name tags are generated" - type = list(string) - default = [] -} - -variable "outpost_subnet_suffix" { - description = "Suffix to append to outpost subnets name" - type = string - default = "outpost" -} - -variable "outpost_subnet_tags" { - description = "Additional tags for the outpost subnets" - type = map(string) - default = {} -} - -################################################################################ -# Outpost Network ACLs -################################################################################ - -variable "outpost_dedicated_network_acl" { - description = "Whether to use dedicated network ACL (not default) and custom rules for outpost subnets" - type = bool - default = false -} - -variable "outpost_inbound_acl_rules" { - description = "Outpost subnets inbound network ACLs" - type = list(map(string)) - default = [ - { - rule_number = 100 - rule_action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_block = "0.0.0.0/0" - }, - ] -} - -variable "outpost_outbound_acl_rules" { - description = "Outpost subnets outbound network ACLs" - type = list(map(string)) - default = [ - { - rule_number = 100 - rule_action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_block = "0.0.0.0/0" - }, - ] -} - -variable "outpost_acl_tags" { - description = "Additional tags for the outpost subnets network ACL" - type = map(string) - default = {} -} - -################################################################################ -# Internet Gateway -################################################################################ - -variable "create_igw" { - description = "Controls if an Internet Gateway is created for public subnets and the related routes that connect them" - type = bool - default = true -} - -variable "create_egress_only_igw" { - description = "Controls if an Egress Only Internet Gateway is created and its related routes" - type = bool - default = true -} - -variable "igw_tags" { - description = "Additional tags for the internet gateway" - type = map(string) - default = {} -} - -################################################################################ -# NAT Gateway -################################################################################ - -variable "enable_nat_gateway" { - description = "Should be true if you want to provision NAT Gateways for each of your private networks" - type = bool - default = false -} - -variable "nat_gateway_destination_cidr_block" { - description = "Used to pass a custom destination route for private NAT Gateway. If not specified, the default 0.0.0.0/0 is used as a destination route" - type = string - default = "0.0.0.0/0" -} - -variable "single_nat_gateway" { - description = "Should be true if you want to provision a single shared NAT Gateway across all of your private networks" - type = bool - default = false -} - -variable "one_nat_gateway_per_az" { - description = "Should be true if you want only one NAT Gateway per availability zone. Requires `var.azs` to be set, and the number of `public_subnets` created to be greater than or equal to the number of availability zones specified in `var.azs`" - type = bool - default = false -} - -variable "reuse_nat_ips" { - description = "Should be true if you don't want EIPs to be created for your NAT Gateways and will instead pass them in via the 'external_nat_ip_ids' variable" - type = bool - default = false -} - -variable "external_nat_ip_ids" { - description = "List of EIP IDs to be assigned to the NAT Gateways (used in combination with reuse_nat_ips)" - type = list(string) - default = [] -} - -variable "external_nat_ips" { - description = "List of EIPs to be used for `nat_public_ips` output (used in combination with reuse_nat_ips and external_nat_ip_ids)" - type = list(string) - default = [] -} - -variable "nat_gateway_tags" { - description = "Additional tags for the NAT gateways" - type = map(string) - default = {} -} - -variable "nat_eip_tags" { - description = "Additional tags for the NAT EIP" - type = map(string) - default = {} -} - -################################################################################ -# Customer Gateways -################################################################################ - -variable "customer_gateways" { - description = "Maps of Customer Gateway's attributes (BGP ASN and Gateway's Internet-routable external IP address)" - type = map(map(any)) - default = {} -} - -variable "customer_gateway_tags" { - description = "Additional tags for the Customer Gateway" - type = map(string) - default = {} -} - -################################################################################ -# VPN Gateway -################################################################################ - -variable "enable_vpn_gateway" { - description = "Should be true if you want to create a new VPN Gateway resource and attach it to the VPC" - type = bool - default = false -} - -variable "vpn_gateway_id" { - description = "ID of VPN Gateway to attach to the VPC" - type = string - default = "" -} - -variable "amazon_side_asn" { - description = "The Autonomous System Number (ASN) for the Amazon side of the gateway. By default the virtual private gateway is created with the current default Amazon ASN" - type = string - default = "64512" -} - -variable "vpn_gateway_az" { - description = "The Availability Zone for the VPN Gateway" - type = string - default = null -} - -variable "propagate_intra_route_tables_vgw" { - description = "Should be true if you want route table propagation" - type = bool - default = false -} - -variable "propagate_private_route_tables_vgw" { - description = "Should be true if you want route table propagation" - type = bool - default = false -} - -variable "propagate_public_route_tables_vgw" { - description = "Should be true if you want route table propagation" - type = bool - default = false -} - -variable "vpn_gateway_tags" { - description = "Additional tags for the VPN gateway" - type = map(string) - default = {} -} - -################################################################################ -# Default VPC -################################################################################ - -variable "manage_default_vpc" { - description = "Should be true to adopt and manage Default VPC" - type = bool - default = false -} - -variable "default_vpc_name" { - description = "Name to be used on the Default VPC" - type = string - default = null -} - -variable "default_vpc_enable_dns_support" { - description = "Should be true to enable DNS support in the Default VPC" - type = bool - default = true -} - -variable "default_vpc_enable_dns_hostnames" { - description = "Should be true to enable DNS hostnames in the Default VPC" - type = bool - default = true -} - -variable "default_vpc_tags" { - description = "Additional tags for the Default VPC" - type = map(string) - default = {} -} - -variable "manage_default_security_group" { - description = "Should be true to adopt and manage default security group" - type = bool - default = true -} - -variable "default_security_group_name" { - description = "Name to be used on the default security group" - type = string - default = null -} - -variable "default_security_group_ingress" { - description = "List of maps of ingress rules to set on the default security group" - type = list(map(string)) - default = [] -} - -variable "default_security_group_egress" { - description = "List of maps of egress rules to set on the default security group" - type = list(map(string)) - default = [] -} - -variable "default_security_group_tags" { - description = "Additional tags for the default security group" - type = map(string) - default = {} -} - -################################################################################ -# Default Network ACLs -################################################################################ - -variable "manage_default_network_acl" { - description = "Should be true to adopt and manage Default Network ACL" - type = bool - default = true -} - -variable "default_network_acl_name" { - description = "Name to be used on the Default Network ACL" - type = string - default = null -} - -variable "default_network_acl_ingress" { - description = "List of maps of ingress rules to set on the Default Network ACL" - type = list(map(string)) - default = [ - { - rule_no = 100 - action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_block = "0.0.0.0/0" - }, - { - rule_no = 101 - action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - ipv6_cidr_block = "::/0" - }, - ] -} - -variable "default_network_acl_egress" { - description = "List of maps of egress rules to set on the Default Network ACL" - type = list(map(string)) - default = [ - { - rule_no = 100 - action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_block = "0.0.0.0/0" - }, - { - rule_no = 101 - action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - ipv6_cidr_block = "::/0" - }, - ] -} - -variable "default_network_acl_tags" { - description = "Additional tags for the Default Network ACL" - type = map(string) - default = {} -} - -################################################################################ -# Default Route -################################################################################ - -variable "manage_default_route_table" { - description = "Should be true to manage default route table" - type = bool - default = true -} - -variable "default_route_table_name" { - description = "Name to be used on the default route table" - type = string - default = null -} - -variable "default_route_table_propagating_vgws" { - description = "List of virtual gateways for propagation" - type = list(string) - default = [] -} - -variable "default_route_table_routes" { - description = "Configuration block of routes. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_route_table#route" - type = list(map(string)) - default = [] -} - -variable "default_route_table_tags" { - description = "Additional tags for the default route table" - type = map(string) - default = {} -} - -################################################################################ -# Flow Log -################################################################################ - -variable "enable_flow_log" { - description = "Whether or not to enable VPC Flow Logs" - type = bool - default = false -} - -variable "vpc_flow_log_permissions_boundary" { - description = "The ARN of the Permissions Boundary for the VPC Flow Log IAM Role" - type = string - default = null -} - -variable "flow_log_max_aggregation_interval" { - description = "The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values: `60` seconds or `600` seconds" - type = number - default = 600 -} - -variable "flow_log_traffic_type" { - description = "The type of traffic to capture. Valid values: ACCEPT, REJECT, ALL" - type = string - default = "ALL" -} - -variable "flow_log_destination_type" { - description = "Type of flow log destination. Can be s3, kinesis-data-firehose or cloud-watch-logs" - type = string - default = "cloud-watch-logs" -} - -variable "flow_log_log_format" { - description = "The fields to include in the flow log record, in the order in which they should appear" - type = string - default = null -} - -variable "flow_log_destination_arn" { - description = "The ARN of the CloudWatch log group or S3 bucket where VPC Flow Logs will be pushed. If this ARN is a S3 bucket the appropriate permissions need to be set on that bucket's policy. When create_flow_log_cloudwatch_log_group is set to false this argument must be provided" - type = string - default = "" -} - -variable "flow_log_deliver_cross_account_role" { - description = "(Optional) ARN of the IAM role that allows Amazon EC2 to publish flow logs across accounts." - type = string - default = null -} - -variable "flow_log_file_format" { - description = "(Optional) The format for the flow log. Valid values: `plain-text`, `parquet`" - type = string - default = null -} - -variable "flow_log_hive_compatible_partitions" { - description = "(Optional) Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3" - type = bool - default = false -} - -variable "flow_log_per_hour_partition" { - description = "(Optional) Indicates whether to partition the flow log per hour. This reduces the cost and response time for queries" - type = bool - default = false -} - -variable "vpc_flow_log_tags" { - description = "Additional tags for the VPC Flow Logs" - type = map(string) - default = {} -} - -################################################################################ -# Flow Log CloudWatch -################################################################################ - -variable "create_flow_log_cloudwatch_log_group" { - description = "Whether to create CloudWatch log group for VPC Flow Logs" - type = bool - default = false -} - -variable "create_flow_log_cloudwatch_iam_role" { - description = "Whether to create IAM role for VPC Flow Logs" - type = bool - default = false -} - -variable "flow_log_cloudwatch_iam_role_arn" { - description = "The ARN for the IAM role that's used to post flow logs to a CloudWatch Logs log group. When flow_log_destination_arn is set to ARN of Cloudwatch Logs, this argument needs to be provided" - type = string - default = "" -} - -variable "flow_log_cloudwatch_log_group_name_prefix" { - description = "Specifies the name prefix of CloudWatch Log Group for VPC flow logs" - type = string - default = "/aws/vpc-flow-log/" -} - -variable "flow_log_cloudwatch_log_group_name_suffix" { - description = "Specifies the name suffix of CloudWatch Log Group for VPC flow logs" - type = string - default = "" -} - -variable "flow_log_cloudwatch_log_group_retention_in_days" { - description = "Specifies the number of days you want to retain log events in the specified log group for VPC flow logs" - type = number - default = null -} - -variable "flow_log_cloudwatch_log_group_kms_key_id" { - description = "The ARN of the KMS Key to use when encrypting log data for VPC flow logs" - type = string - default = null -} - -variable "flow_log_cloudwatch_log_group_skip_destroy" { - description = " Set to true if you do not wish the log group (and any logs it may contain) to be deleted at destroy time, and instead just remove the log group from the Terraform state" - type = bool - default = false -} - -variable "flow_log_cloudwatch_log_group_class" { - description = "Specified the log class of the log group. Possible values are: STANDARD or INFREQUENT_ACCESS" - type = string - default = null -} - -variable "putin_khuylo" { - description = "Do you agree that Putin doesn't respect Ukrainian sovereignty and territorial integrity? More info: https://en.wikipedia.org/wiki/Putin_khuylo!" - type = bool - default = true -} diff --git a/test/init_tf_module_sources_test.go b/test/init_tf_module_sources_test.go index 177e956..d4b3333 100644 --- a/test/init_tf_module_sources_test.go +++ b/test/init_tf_module_sources_test.go @@ -84,7 +84,7 @@ var _ = Describe("InitTerraformPromise source integration", func() { Entry("private git repo placeholder with subdir (mono-repo style)", moduleTestCase{ name: "git subdir", - moduleSource: "git::https://github.com/syntasso/kratix-cli-private-tf-module-test-fixture.git//modules/vpc-endpoints?ref=v5.7.0", + moduleSource: "git::ssh://git@github.com/syntasso/kratix-cli-private-tf-module-test-fixture.git//modules/vpc-endpoints?ref=v5.7.0", expectedAPIPath: vpcSubdirAPI, }, ), diff --git a/variables.tf b/variables.tf deleted file mode 100644 index 7a38762..0000000 --- a/variables.tf +++ /dev/null @@ -1,1597 +0,0 @@ -condary CIDR blocks to associate with the VPC to extend the IP Address pool" - type = list(string) - default = [] -} - -variable "instance_tenancy" { - description = "A tenancy option for instances launched into the VPC" - type = string - default = "default" -} - -variable "azs" { - description = "A list of availability zones names or ids in the region" - type = list(string) - default = [] -} - -variable "enable_dns_hostnames" { - description = "Should be true to enable DNS hostnames in the VPC" - type = bool - default = true -} - -variable "enable_dns_support" { - description = "Should be true to enable DNS support in the VPC" - type = bool - default = true -} - -variable "enable_network_address_usage_metrics" { - des################################################################################ -# VPC -################################################################################ - -variable "create_vpc" { - description = "Controls if VPC should be created (it affects almost all resources)" - type = bool - default = true -} - -variable "name" { - description = "Name to be used on all the resources as identifier" - type = string - default = "" -} - -variable "cidr" { - description = "(Optional) The IPv4 CIDR block for the VPC. CIDR can be explicitly set or it can be derived from IPAM using `ipv4_netmask_length` & `ipv4_ipam_pool_id`" - type = string - default = "10.0.0.0/16" -} - -variable "secondary_cidr_blocks" { - description = "List of secription = "Determines whether network address usage metrics are enabled for the VPC" - type = bool - default = null -} - -variable "use_ipam_pool" { - description = "Determines whether IPAM pool is used for CIDR allocation" - type = bool - default = false -} - -variable "ipv4_ipam_pool_id" { - description = "(Optional) The ID of an IPv4 IPAM pool you want to use for allocating this VPC's CIDR" - type = string - default = null -} - -variable "ipv4_netmask_length" { - description = "(Optional) The netmask length of the IPv4 CIDR you want to allocate to this VPC. Requires specifying a ipv4_ipam_pool_id" - type = number - default = null -} - -variable "enable_ipv6" { - description = "Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block" - type = bool - default = false -} - -variable "ipv6_cidr" { - description = "(Optional) IPv6 CIDR block to request from an IPAM Pool. Can be set explicitly or derived from IPAM using `ipv6_netmask_length`" - type = string - default = null -} - -variable "ipv6_ipam_pool_id" { - description = "(Optional) IPAM Pool ID for a IPv6 pool. Conflicts with `assign_generated_ipv6_cidr_block`" - type = string - default = null -} - -variable "ipv6_netmask_length" { - description = "(Optional) Netmask length to request from IPAM Pool. Conflicts with `ipv6_cidr_block`. This can be omitted if IPAM pool as a `allocation_default_netmask_length` set. Valid values: `56`" - type = number - default = null -} - -variable "ipv6_cidr_block_network_border_group" { - description = "By default when an IPv6 CIDR is assigned to a VPC a default ipv6_cidr_block_network_border_group will be set to the region of the VPC. This can be changed to restrict advertisement of public addresses to specific Network Border Groups such as LocalZones" - type = string - default = null -} - -variable "vpc_tags" { - description = "Additional tags for the VPC" - type = map(string) - default = {} -} - -variable "tags" { - description = "A map of tags to add to all resources" - type = map(string) - default = {} -} - -################################################################################ -# DHCP Options Set -################################################################################ - -variable "enable_dhcp_options" { - description = "Should be true if you want to specify a DHCP options set with a custom domain name, DNS servers, NTP servers, netbios servers, and/or netbios server type" - type = bool - default = false -} - -variable "dhcp_options_domain_name" { - description = "Specifies DNS name for DHCP options set (requires enable_dhcp_options set to true)" - type = string - default = "" -} - -variable "dhcp_options_domain_name_servers" { - description = "Specify a list of DNS server addresses for DHCP options set, default to AWS provided (requires enable_dhcp_options set to true)" - type = list(string) - default = ["AmazonProvidedDNS"] -} - -variable "dhcp_options_ntp_servers" { - description = "Specify a list of NTP servers for DHCP options set (requires enable_dhcp_options set to true)" - type = list(string) - default = [] -} - -variable "dhcp_options_netbios_name_servers" { - description = "Specify a list of netbios servers for DHCP options set (requires enable_dhcp_options set to true)" - type = list(string) - default = [] -} - -variable "dhcp_options_netbios_node_type" { - description = "Specify netbios node_type for DHCP options set (requires enable_dhcp_options set to true)" - type = string - default = "" -} - -variable "dhcp_options_tags" { - description = "Additional tags for the DHCP option set (requires enable_dhcp_options set to true)" - type = map(string) - default = {} -} - -################################################################################ -# Publiс Subnets -################################################################################ - -variable "public_subnets" { - description = "A list of public subnets inside the VPC" - type = list(string) - default = [] -} - -variable "public_subnet_assign_ipv6_address_on_creation" { - description = "Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false`" - type = bool - default = false -} - -variable "public_subnet_enable_dns64" { - description = "Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true`" - type = bool - default = true -} - -variable "public_subnet_enable_resource_name_dns_aaaa_record_on_launch" { - description = "Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true`" - type = bool - default = true -} - -variable "public_subnet_enable_resource_name_dns_a_record_on_launch" { - description = "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false`" - type = bool - default = false -} - -variable "public_subnet_ipv6_prefixes" { - description = "Assigns IPv6 public subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list" - type = list(string) - default = [] -} - -variable "public_subnet_ipv6_native" { - description = "Indicates whether to create an IPv6-only subnet. Default: `false`" - type = bool - default = false -} - -variable "map_public_ip_on_launch" { - description = "Specify true to indicate that instances launched into the subnet should be assigned a public IP address. Default is `false`" - type = bool - default = false -} - -variable "public_subnet_private_dns_hostname_type_on_launch" { - description = "The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name`" - type = string - default = null -} - -variable "public_subnet_names" { - description = "Explicit values to use in the Name tag on public subnets. If empty, Name tags are generated" - type = list(string) - default = [] -} - -variable "public_subnet_suffix" { - description = "Suffix to append to public subnets name" - type = string - default = "public" -} - -variable "public_subnet_tags" { - description = "Additional tags for the public subnets" - type = map(string) - default = {} -} - -variable "public_subnet_tags_per_az" { - description = "Additional tags for the public subnets where the primary key is the AZ" - type = map(map(string)) - default = {} -} - -variable "public_route_table_tags" { - description = "Additional tags for the public route tables" - type = map(string) - default = {} -} - -################################################################################ -# Public Network ACLs -################################################################################ - -variable "public_dedicated_network_acl" { - description = "Whether to use dedicated network ACL (not default) and custom rules for public subnets" - type = bool - default = false -} - -variable "public_inbound_acl_rules" { - description = "Public subnets inbound network ACLs" - type = list(map(string)) - default = [ - { - rule_number = 100 - rule_action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_block = "0.0.0.0/0" - }, - ] -} - -variable "public_outbound_acl_rules" { - description = "Public subnets outbound network ACLs" - type = list(map(string)) - default = [ - { - rule_number = 100 - rule_action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_block = "0.0.0.0/0" - }, - ] -} - -variable "public_acl_tags" { - description = "Additional tags for the public subnets network ACL" - type = map(string) - default = {} -} - -################################################################################ -# Private Subnets -################################################################################ - -variable "private_subnets" { - description = "A list of private subnets inside the VPC" - type = list(string) - default = [] -} - -variable "private_subnet_assign_ipv6_address_on_creation" { - description = "Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false`" - type = bool - default = false -} - -variable "private_subnet_enable_dns64" { - description = "Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true`" - type = bool - default = true -} - -variable "private_subnet_enable_resource_name_dns_aaaa_record_on_launch" { - description = "Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true`" - type = bool - default = true -} - -variable "private_subnet_enable_resource_name_dns_a_record_on_launch" { - description = "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false`" - type = bool - default = false -} - -variable "private_subnet_ipv6_prefixes" { - description = "Assigns IPv6 private subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list" - type = list(string) - default = [] -} - -variable "private_subnet_ipv6_native" { - description = "Indicates whether to create an IPv6-only subnet. Default: `false`" - type = bool - default = false -} - -variable "private_subnet_private_dns_hostname_type_on_launch" { - description = "The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name`" - type = string - default = null -} - -variable "private_subnet_names" { - description = "Explicit values to use in the Name tag on private subnets. If empty, Name tags are generated" - type = list(string) - default = [] -} - -variable "private_subnet_suffix" { - description = "Suffix to append to private subnets name" - type = string - default = "private" -} - -variable "private_subnet_tags" { - description = "Additional tags for the private subnets" - type = map(string) - default = {} -} - -variable "private_subnet_tags_per_az" { - description = "Additional tags for the private subnets where the primary key is the AZ" - type = map(map(string)) - default = {} -} - -variable "private_route_table_tags" { - description = "Additional tags for the private route tables" - type = map(string) - default = {} -} - -################################################################################ -# Private Network ACLs -################################################################################ - -variable "private_dedicated_network_acl" { - description = "Whether to use dedicated network ACL (not default) and custom rules for private subnets" - type = bool - default = false -} - -variable "private_inbound_acl_rules" { - description = "Private subnets inbound network ACLs" - type = list(map(string)) - default = [ - { - rule_number = 100 - rule_action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_block = "0.0.0.0/0" - }, - ] -} - -variable "private_outbound_acl_rules" { - description = "Private subnets outbound network ACLs" - type = list(map(string)) - default = [ - { - rule_number = 100 - rule_action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_block = "0.0.0.0/0" - }, - ] -} - -variable "private_acl_tags" { - description = "Additional tags for the private subnets network ACL" - type = map(string) - default = {} -} - -################################################################################ -# Database Subnets -################################################################################ - -variable "database_subnets" { - description = "A list of database subnets inside the VPC" - type = list(string) - default = [] -} - -variable "database_subnet_assign_ipv6_address_on_creation" { - description = "Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false`" - type = bool - default = false -} - -variable "database_subnet_enable_dns64" { - description = "Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true`" - type = bool - default = true -} - -variable "database_subnet_enable_resource_name_dns_aaaa_record_on_launch" { - description = "Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true`" - type = bool - default = true -} - -variable "database_subnet_enable_resource_name_dns_a_record_on_launch" { - description = "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false`" - type = bool - default = false -} - -variable "database_subnet_ipv6_prefixes" { - description = "Assigns IPv6 database subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list" - type = list(string) - default = [] -} - -variable "database_subnet_ipv6_native" { - description = "Indicates whether to create an IPv6-only subnet. Default: `false`" - type = bool - default = false -} - -variable "database_subnet_private_dns_hostname_type_on_launch" { - description = "The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name`" - type = string - default = null -} - -variable "database_subnet_names" { - description = "Explicit values to use in the Name tag on database subnets. If empty, Name tags are generated" - type = list(string) - default = [] -} - -variable "database_subnet_suffix" { - description = "Suffix to append to database subnets name" - type = string - default = "db" -} - -variable "create_database_subnet_route_table" { - description = "Controls if separate route table for database should be created" - type = bool - default = false -} - -variable "create_database_internet_gateway_route" { - description = "Controls if an internet gateway route for public database access should be created" - type = bool - default = false -} - -variable "create_database_nat_gateway_route" { - description = "Controls if a nat gateway route should be created to give internet access to the database subnets" - type = bool - default = false -} - -variable "database_route_table_tags" { - description = "Additional tags for the database route tables" - type = map(string) - default = {} -} - -variable "database_subnet_tags" { - description = "Additional tags for the database subnets" - type = map(string) - default = {} -} - -variable "create_database_subnet_group" { - description = "Controls if database subnet group should be created (n.b. database_subnets must also be set)" - type = bool - default = true -} - -variable "database_subnet_group_name" { - description = "Name of database subnet group" - type = string - default = null -} - -variable "database_subnet_group_tags" { - description = "Additional tags for the database subnet group" - type = map(string) - default = {} -} - -################################################################################ -# Database Network ACLs -################################################################################ - -variable "database_dedicated_network_acl" { - description = "Whether to use dedicated network ACL (not default) and custom rules for database subnets" - type = bool - default = false -} - -variable "database_inbound_acl_rules" { - description = "Database subnets inbound network ACL rules" - type = list(map(string)) - default = [ - { - rule_number = 100 - rule_action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_block = "0.0.0.0/0" - }, - ] -} - -variable "database_outbound_acl_rules" { - description = "Database subnets outbound network ACL rules" - type = list(map(string)) - default = [ - { - rule_number = 100 - rule_action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_block = "0.0.0.0/0" - }, - ] -} - -variable "database_acl_tags" { - description = "Additional tags for the database subnets network ACL" - type = map(string) - default = {} -} - -################################################################################ -# Redshift Subnets -################################################################################ - -variable "redshift_subnets" { - description = "A list of redshift subnets inside the VPC" - type = list(string) - default = [] -} - -variable "redshift_subnet_assign_ipv6_address_on_creation" { - description = "Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false`" - type = bool - default = false -} - -variable "redshift_subnet_enable_dns64" { - description = "Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true`" - type = bool - default = true -} - -variable "redshift_subnet_enable_resource_name_dns_aaaa_record_on_launch" { - description = "Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true`" - type = bool - default = true -} - -variable "redshift_subnet_enable_resource_name_dns_a_record_on_launch" { - description = "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false`" - type = bool - default = false -} - -variable "redshift_subnet_ipv6_prefixes" { - description = "Assigns IPv6 redshift subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list" - type = list(string) - default = [] -} - -variable "redshift_subnet_ipv6_native" { - description = "Indicates whether to create an IPv6-only subnet. Default: `false`" - type = bool - default = false -} - -variable "redshift_subnet_private_dns_hostname_type_on_launch" { - description = "The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name`" - type = string - default = null -} - -variable "redshift_subnet_names" { - description = "Explicit values to use in the Name tag on redshift subnets. If empty, Name tags are generated" - type = list(string) - default = [] -} - -variable "redshift_subnet_suffix" { - description = "Suffix to append to redshift subnets name" - type = string - default = "redshift" -} - -variable "enable_public_redshift" { - description = "Controls if redshift should have public routing table" - type = bool - default = false -} - -variable "create_redshift_subnet_route_table" { - description = "Controls if separate route table for redshift should be created" - type = bool - default = false -} - -variable "redshift_route_table_tags" { - description = "Additional tags for the redshift route tables" - type = map(string) - default = {} -} - -variable "redshift_subnet_tags" { - description = "Additional tags for the redshift subnets" - type = map(string) - default = {} -} - -variable "create_redshift_subnet_group" { - description = "Controls if redshift subnet group should be created" - type = bool - default = true -} - -variable "redshift_subnet_group_name" { - description = "Name of redshift subnet group" - type = string - default = null -} - -variable "redshift_subnet_group_tags" { - description = "Additional tags for the redshift subnet group" - type = map(string) - default = {} -} - -################################################################################ -# Redshift Network ACLs -################################################################################ - -variable "redshift_dedicated_network_acl" { - description = "Whether to use dedicated network ACL (not default) and custom rules for redshift subnets" - type = bool - default = false -} - -variable "redshift_inbound_acl_rules" { - description = "Redshift subnets inbound network ACL rules" - type = list(map(string)) - default = [ - { - rule_number = 100 - rule_action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_block = "0.0.0.0/0" - }, - ] -} - -variable "redshift_outbound_acl_rules" { - description = "Redshift subnets outbound network ACL rules" - type = list(map(string)) - default = [ - { - rule_number = 100 - rule_action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_block = "0.0.0.0/0" - }, - ] -} - -variable "redshift_acl_tags" { - description = "Additional tags for the redshift subnets network ACL" - type = map(string) - default = {} -} - -################################################################################ -# Elasticache Subnets -################################################################################ - -variable "elasticache_subnets" { - description = "A list of elasticache subnets inside the VPC" - type = list(string) - default = [] -} - -variable "elasticache_subnet_assign_ipv6_address_on_creation" { - description = "Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false`" - type = bool - default = false -} - -variable "elasticache_subnet_enable_dns64" { - description = "Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true`" - type = bool - default = true -} - -variable "elasticache_subnet_enable_resource_name_dns_aaaa_record_on_launch" { - description = "Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true`" - type = bool - default = true -} - -variable "elasticache_subnet_enable_resource_name_dns_a_record_on_launch" { - description = "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false`" - type = bool - default = false -} - -variable "elasticache_subnet_ipv6_prefixes" { - description = "Assigns IPv6 elasticache subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list" - type = list(string) - default = [] -} - -variable "elasticache_subnet_ipv6_native" { - description = "Indicates whether to create an IPv6-only subnet. Default: `false`" - type = bool - default = false -} - -variable "elasticache_subnet_private_dns_hostname_type_on_launch" { - description = "The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name`" - type = string - default = null -} - -variable "elasticache_subnet_names" { - description = "Explicit values to use in the Name tag on elasticache subnets. If empty, Name tags are generated" - type = list(string) - default = [] -} - -variable "elasticache_subnet_suffix" { - description = "Suffix to append to elasticache subnets name" - type = string - default = "elasticache" -} - -variable "elasticache_subnet_tags" { - description = "Additional tags for the elasticache subnets" - type = map(string) - default = {} -} - -variable "create_elasticache_subnet_route_table" { - description = "Controls if separate route table for elasticache should be created" - type = bool - default = false -} - -variable "elasticache_route_table_tags" { - description = "Additional tags for the elasticache route tables" - type = map(string) - default = {} -} - -variable "create_elasticache_subnet_group" { - description = "Controls if elasticache subnet group should be created" - type = bool - default = true -} - -variable "elasticache_subnet_group_name" { - description = "Name of elasticache subnet group" - type = string - default = null -} - -variable "elasticache_subnet_group_tags" { - description = "Additional tags for the elasticache subnet group" - type = map(string) - default = {} -} - -################################################################################ -# Elasticache Network ACLs -################################################################################ - -variable "elasticache_dedicated_network_acl" { - description = "Whether to use dedicated network ACL (not default) and custom rules for elasticache subnets" - type = bool - default = false -} - -variable "elasticache_inbound_acl_rules" { - description = "Elasticache subnets inbound network ACL rules" - type = list(map(string)) - default = [ - { - rule_number = 100 - rule_action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_block = "0.0.0.0/0" - }, - ] -} - -variable "elasticache_outbound_acl_rules" { - description = "Elasticache subnets outbound network ACL rules" - type = list(map(string)) - default = [ - { - rule_number = 100 - rule_action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_block = "0.0.0.0/0" - }, - ] -} - -variable "elasticache_acl_tags" { - description = "Additional tags for the elasticache subnets network ACL" - type = map(string) - default = {} -} - -################################################################################ -# Intra Subnets -################################################################################ - -variable "intra_subnets" { - description = "A list of intra subnets inside the VPC" - type = list(string) - default = [] -} - -variable "intra_subnet_assign_ipv6_address_on_creation" { - description = "Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false`" - type = bool - default = false -} - -variable "intra_subnet_enable_dns64" { - description = "Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true`" - type = bool - default = true -} - -variable "intra_subnet_enable_resource_name_dns_aaaa_record_on_launch" { - description = "Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true`" - type = bool - default = true -} - -variable "intra_subnet_enable_resource_name_dns_a_record_on_launch" { - description = "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false`" - type = bool - default = false -} - -variable "intra_subnet_ipv6_prefixes" { - description = "Assigns IPv6 intra subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list" - type = list(string) - default = [] -} - -variable "intra_subnet_ipv6_native" { - description = "Indicates whether to create an IPv6-only subnet. Default: `false`" - type = bool - default = false -} - -variable "intra_subnet_private_dns_hostname_type_on_launch" { - description = "The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name`" - type = string - default = null -} - -variable "intra_subnet_names" { - description = "Explicit values to use in the Name tag on intra subnets. If empty, Name tags are generated" - type = list(string) - default = [] -} - -variable "intra_subnet_suffix" { - description = "Suffix to append to intra subnets name" - type = string - default = "intra" -} - -variable "intra_subnet_tags" { - description = "Additional tags for the intra subnets" - type = map(string) - default = {} -} - -variable "intra_route_table_tags" { - description = "Additional tags for the intra route tables" - type = map(string) - default = {} -} - -################################################################################ -# Intra Network ACLs -################################################################################ - -variable "intra_dedicated_network_acl" { - description = "Whether to use dedicated network ACL (not default) and custom rules for intra subnets" - type = bool - default = false -} - -variable "intra_inbound_acl_rules" { - description = "Intra subnets inbound network ACLs" - type = list(map(string)) - default = [ - { - rule_number = 100 - rule_action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_block = "0.0.0.0/0" - }, - ] -} - -variable "intra_outbound_acl_rules" { - description = "Intra subnets outbound network ACLs" - type = list(map(string)) - default = [ - { - rule_number = 100 - rule_action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_block = "0.0.0.0/0" - }, - ] -} - -variable "intra_acl_tags" { - description = "Additional tags for the intra subnets network ACL" - type = map(string) - default = {} -} - -################################################################################ -# Outpost Subnets -################################################################################ - -variable "outpost_subnets" { - description = "A list of outpost subnets inside the VPC" - type = list(string) - default = [] -} - -variable "outpost_subnet_assign_ipv6_address_on_creation" { - description = "Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false`" - type = bool - default = false -} - -variable "outpost_az" { - description = "AZ where Outpost is anchored" - type = string - default = null -} - -variable "customer_owned_ipv4_pool" { - description = "The customer owned IPv4 address pool. Typically used with the `map_customer_owned_ip_on_launch` argument. The `outpost_arn` argument must be specified when configured" - type = string - default = null -} - -variable "outpost_subnet_enable_dns64" { - description = "Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true`" - type = bool - default = true -} - -variable "outpost_subnet_enable_resource_name_dns_aaaa_record_on_launch" { - description = "Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true`" - type = bool - default = true -} - -variable "outpost_subnet_enable_resource_name_dns_a_record_on_launch" { - description = "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false`" - type = bool - default = false -} - -variable "outpost_subnet_ipv6_prefixes" { - description = "Assigns IPv6 outpost subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list" - type = list(string) - default = [] -} - -variable "outpost_subnet_ipv6_native" { - description = "Indicates whether to create an IPv6-only subnet. Default: `false`" - type = bool - default = false -} - -variable "map_customer_owned_ip_on_launch" { - description = "Specify true to indicate that network interfaces created in the subnet should be assigned a customer owned IP address. The `customer_owned_ipv4_pool` and `outpost_arn` arguments must be specified when set to `true`. Default is `false`" - type = bool - default = false -} - -variable "outpost_arn" { - description = "ARN of Outpost you want to create a subnet in" - type = string - default = null -} - -variable "outpost_subnet_private_dns_hostname_type_on_launch" { - description = "The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name`" - type = string - default = null -} - -variable "outpost_subnet_names" { - description = "Explicit values to use in the Name tag on outpost subnets. If empty, Name tags are generated" - type = list(string) - default = [] -} - -variable "outpost_subnet_suffix" { - description = "Suffix to append to outpost subnets name" - type = string - default = "outpost" -} - -variable "outpost_subnet_tags" { - description = "Additional tags for the outpost subnets" - type = map(string) - default = {} -} - -################################################################################ -# Outpost Network ACLs -################################################################################ - -variable "outpost_dedicated_network_acl" { - description = "Whether to use dedicated network ACL (not default) and custom rules for outpost subnets" - type = bool - default = false -} - -variable "outpost_inbound_acl_rules" { - description = "Outpost subnets inbound network ACLs" - type = list(map(string)) - default = [ - { - rule_number = 100 - rule_action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_block = "0.0.0.0/0" - }, - ] -} - -variable "outpost_outbound_acl_rules" { - description = "Outpost subnets outbound network ACLs" - type = list(map(string)) - default = [ - { - rule_number = 100 - rule_action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_block = "0.0.0.0/0" - }, - ] -} - -variable "outpost_acl_tags" { - description = "Additional tags for the outpost subnets network ACL" - type = map(string) - default = {} -} - -################################################################################ -# Internet Gateway -################################################################################ - -variable "create_igw" { - description = "Controls if an Internet Gateway is created for public subnets and the related routes that connect them" - type = bool - default = true -} - -variable "create_egress_only_igw" { - description = "Controls if an Egress Only Internet Gateway is created and its related routes" - type = bool - default = true -} - -variable "igw_tags" { - description = "Additional tags for the internet gateway" - type = map(string) - default = {} -} - -################################################################################ -# NAT Gateway -################################################################################ - -variable "enable_nat_gateway" { - description = "Should be true if you want to provision NAT Gateways for each of your private networks" - type = bool - default = false -} - -variable "nat_gateway_destination_cidr_block" { - description = "Used to pass a custom destination route for private NAT Gateway. If not specified, the default 0.0.0.0/0 is used as a destination route" - type = string - default = "0.0.0.0/0" -} - -variable "single_nat_gateway" { - description = "Should be true if you want to provision a single shared NAT Gateway across all of your private networks" - type = bool - default = false -} - -variable "one_nat_gateway_per_az" { - description = "Should be true if you want only one NAT Gateway per availability zone. Requires `var.azs` to be set, and the number of `public_subnets` created to be greater than or equal to the number of availability zones specified in `var.azs`" - type = bool - default = false -} - -variable "reuse_nat_ips" { - description = "Should be true if you don't want EIPs to be created for your NAT Gateways and will instead pass them in via the 'external_nat_ip_ids' variable" - type = bool - default = false -} - -variable "external_nat_ip_ids" { - description = "List of EIP IDs to be assigned to the NAT Gateways (used in combination with reuse_nat_ips)" - type = list(string) - default = [] -} - -variable "external_nat_ips" { - description = "List of EIPs to be used for `nat_public_ips` output (used in combination with reuse_nat_ips and external_nat_ip_ids)" - type = list(string) - default = [] -} - -variable "nat_gateway_tags" { - description = "Additional tags for the NAT gateways" - type = map(string) - default = {} -} - -variable "nat_eip_tags" { - description = "Additional tags for the NAT EIP" - type = map(string) - default = {} -} - -################################################################################ -# Customer Gateways -################################################################################ - -variable "customer_gateways" { - description = "Maps of Customer Gateway's attributes (BGP ASN and Gateway's Internet-routable external IP address)" - type = map(map(any)) - default = {} -} - -variable "customer_gateway_tags" { - description = "Additional tags for the Customer Gateway" - type = map(string) - default = {} -} - -################################################################################ -# VPN Gateway -################################################################################ - -variable "enable_vpn_gateway" { - description = "Should be true if you want to create a new VPN Gateway resource and attach it to the VPC" - type = bool - default = false -} - -variable "vpn_gateway_id" { - description = "ID of VPN Gateway to attach to the VPC" - type = string - default = "" -} - -variable "amazon_side_asn" { - description = "The Autonomous System Number (ASN) for the Amazon side of the gateway. By default the virtual private gateway is created with the current default Amazon ASN" - type = string - default = "64512" -} - -variable "vpn_gateway_az" { - description = "The Availability Zone for the VPN Gateway" - type = string - default = null -} - -variable "propagate_intra_route_tables_vgw" { - description = "Should be true if you want route table propagation" - type = bool - default = false -} - -variable "propagate_private_route_tables_vgw" { - description = "Should be true if you want route table propagation" - type = bool - default = false -} - -variable "propagate_public_route_tables_vgw" { - description = "Should be true if you want route table propagation" - type = bool - default = false -} - -variable "vpn_gateway_tags" { - description = "Additional tags for the VPN gateway" - type = map(string) - default = {} -} - -################################################################################ -# Default VPC -################################################################################ - -variable "manage_default_vpc" { - description = "Should be true to adopt and manage Default VPC" - type = bool - default = false -} - -variable "default_vpc_name" { - description = "Name to be used on the Default VPC" - type = string - default = null -} - -variable "default_vpc_enable_dns_support" { - description = "Should be true to enable DNS support in the Default VPC" - type = bool - default = true -} - -variable "default_vpc_enable_dns_hostnames" { - description = "Should be true to enable DNS hostnames in the Default VPC" - type = bool - default = true -} - -variable "default_vpc_tags" { - description = "Additional tags for the Default VPC" - type = map(string) - default = {} -} - -variable "manage_default_security_group" { - description = "Should be true to adopt and manage default security group" - type = bool - default = true -} - -variable "default_security_group_name" { - description = "Name to be used on the default security group" - type = string - default = null -} - -variable "default_security_group_ingress" { - description = "List of maps of ingress rules to set on the default security group" - type = list(map(string)) - default = [] -} - -variable "default_security_group_egress" { - description = "List of maps of egress rules to set on the default security group" - type = list(map(string)) - default = [] -} - -variable "default_security_group_tags" { - description = "Additional tags for the default security group" - type = map(string) - default = {} -} - -################################################################################ -# Default Network ACLs -################################################################################ - -variable "manage_default_network_acl" { - description = "Should be true to adopt and manage Default Network ACL" - type = bool - default = true -} - -variable "default_network_acl_name" { - description = "Name to be used on the Default Network ACL" - type = string - default = null -} - -variable "default_network_acl_ingress" { - description = "List of maps of ingress rules to set on the Default Network ACL" - type = list(map(string)) - default = [ - { - rule_no = 100 - action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_block = "0.0.0.0/0" - }, - { - rule_no = 101 - action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - ipv6_cidr_block = "::/0" - }, - ] -} - -variable "default_network_acl_egress" { - description = "List of maps of egress rules to set on the Default Network ACL" - type = list(map(string)) - default = [ - { - rule_no = 100 - action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_block = "0.0.0.0/0" - }, - { - rule_no = 101 - action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - ipv6_cidr_block = "::/0" - }, - ] -} - -variable "default_network_acl_tags" { - description = "Additional tags for the Default Network ACL" - type = map(string) - default = {} -} - -################################################################################ -# Default Route -################################################################################ - -variable "manage_default_route_table" { - description = "Should be true to manage default route table" - type = bool - default = true -} - -variable "default_route_table_name" { - description = "Name to be used on the default route table" - type = string - default = null -} - -variable "default_route_table_propagating_vgws" { - description = "List of virtual gateways for propagation" - type = list(string) - default = [] -} - -variable "default_route_table_routes" { - description = "Configuration block of routes. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_route_table#route" - type = list(map(string)) - default = [] -} - -variable "default_route_table_tags" { - description = "Additional tags for the default route table" - type = map(string) - default = {} -} - -################################################################################ -# Flow Log -################################################################################ - -variable "enable_flow_log" { - description = "Whether or not to enable VPC Flow Logs" - type = bool - default = false -} - -variable "vpc_flow_log_permissions_boundary" { - description = "The ARN of the Permissions Boundary for the VPC Flow Log IAM Role" - type = string - default = null -} - -variable "flow_log_max_aggregation_interval" { - description = "The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values: `60` seconds or `600` seconds" - type = number - default = 600 -} - -variable "flow_log_traffic_type" { - description = "The type of traffic to capture. Valid values: ACCEPT, REJECT, ALL" - type = string - default = "ALL" -} - -variable "flow_log_destination_type" { - description = "Type of flow log destination. Can be s3, kinesis-data-firehose or cloud-watch-logs" - type = string - default = "cloud-watch-logs" -} - -variable "flow_log_log_format" { - description = "The fields to include in the flow log record, in the order in which they should appear" - type = string - default = null -} - -variable "flow_log_destination_arn" { - description = "The ARN of the CloudWatch log group or S3 bucket where VPC Flow Logs will be pushed. If this ARN is a S3 bucket the appropriate permissions need to be set on that bucket's policy. When create_flow_log_cloudwatch_log_group is set to false this argument must be provided" - type = string - default = "" -} - -variable "flow_log_deliver_cross_account_role" { - description = "(Optional) ARN of the IAM role that allows Amazon EC2 to publish flow logs across accounts." - type = string - default = null -} - -variable "flow_log_file_format" { - description = "(Optional) The format for the flow log. Valid values: `plain-text`, `parquet`" - type = string - default = null -} - -variable "flow_log_hive_compatible_partitions" { - description = "(Optional) Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3" - type = bool - default = false -} - -variable "flow_log_per_hour_partition" { - description = "(Optional) Indicates whether to partition the flow log per hour. This reduces the cost and response time for queries" - type = bool - default = false -} - -variable "vpc_flow_log_tags" { - description = "Additional tags for the VPC Flow Logs" - type = map(string) - default = {} -} - -################################################################################ -# Flow Log CloudWatch -################################################################################ - -variable "create_flow_log_cloudwatch_log_group" { - description = "Whether to create CloudWatch log group for VPC Flow Logs" - type = bool - default = false -} - -variable "create_flow_log_cloudwatch_iam_role" { - description = "Whether to create IAM role for VPC Flow Logs" - type = bool - default = false -} - -variable "flow_log_cloudwatch_iam_role_arn" { - description = "The ARN for the IAM role that's used to post flow logs to a CloudWatch Logs log group. When flow_log_destination_arn is set to ARN of Cloudwatch Logs, this argument needs to be provided" - type = string - default = "" -} - -variable "flow_log_cloudwatch_log_group_name_prefix" { - description = "Specifies the name prefix of CloudWatch Log Group for VPC flow logs" - type = string - default = "/aws/vpc-flow-log/" -} - -variable "flow_log_cloudwatch_log_group_name_suffix" { - description = "Specifies the name suffix of CloudWatch Log Group for VPC flow logs" - type = string - default = "" -} - -variable "flow_log_cloudwatch_log_group_retention_in_days" { - description = "Specifies the number of days you want to retain log events in the specified log group for VPC flow logs" - type = number - default = null -} - -variable "flow_log_cloudwatch_log_group_kms_key_id" { - description = "The ARN of the KMS Key to use when encrypting log data for VPC flow logs" - type = string - default = null -} - -variable "flow_log_cloudwatch_log_group_skip_destroy" { - description = " Set to true if you do not wish the log group (and any logs it may contain) to be deleted at destroy time, and instead just remove the log group from the Terraform state" - type = bool - default = false -} - -variable "flow_log_cloudwatch_log_group_class" { - description = "Specified the log class of the log group. Possible values are: STANDARD or INFREQUENT_ACCESS" - type = string - default = null -} - -variable "putin_khuylo" { - description = "Do you agree that Putin doesn't respect Ukrainian sovereignty and territorial integrity? More info: https://en.wikipedia.org/wiki/Putin_khuylo!" - type = bool - default = true -} From bd250f94ef12fc9e5e0c637c93f722ee3162b8e3 Mon Sep 17 00:00:00 2001 From: Jake Date: Wed, 31 Dec 2025 16:28:05 +0000 Subject: [PATCH 14/17] fix dockerloading --- stages/terraform-module-promise/Dockerfile | 3 ++- stages/terraform-module-promise/Makefile | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/stages/terraform-module-promise/Dockerfile b/stages/terraform-module-promise/Dockerfile index 60a40ee..8394967 100644 --- a/stages/terraform-module-promise/Dockerfile +++ b/stages/terraform-module-promise/Dockerfile @@ -4,8 +4,9 @@ ARG TARGETOS WORKDIR /workspace COPY go.mod go.mod COPY go.sum go.sum -COPY stages/terraform-module-promise/main.go main.go RUN go mod download +COPY stages/terraform-module-promise/main.go main.go +COPY internal internal RUN CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH GO111MODULE=on go build -a -o from-api-to-terraform-module main.go FROM --platform=${TARGETARCH:-$BUILDPLATFORM} gcr.io/distroless/cc:nonroot diff --git a/stages/terraform-module-promise/Makefile b/stages/terraform-module-promise/Makefile index 9f86860..f0a0549 100644 --- a/stages/terraform-module-promise/Makefile +++ b/stages/terraform-module-promise/Makefile @@ -35,4 +35,4 @@ build-and-push: # Build container image and push it to the container registry ${BASE_PATH} build-and-load: build # Build container image and load it into kind - kind load docker-image ${IMG_TAG}:${VERSION} --name platform \ No newline at end of file + kind load docker-image ${IMG_TAG}:${VERSION} --name platform From 144c612eb817f4218d4eb92e1164c957bbaac867 Mon Sep 17 00:00:00 2001 From: Jake Date: Wed, 31 Dec 2025 16:59:40 +0000 Subject: [PATCH 15/17] PR feedback and fix incorrect version --- cmd/init_tf_module_promise.go | 2 +- cmd/kratix/main.go | 2 +- test/init_tf_module_sources_test.go | 1 - 3 files changed, 2 insertions(+), 3 deletions(-) diff --git a/cmd/init_tf_module_promise.go b/cmd/init_tf_module_promise.go index bcfbd67..2b04576 100644 --- a/cmd/init_tf_module_promise.go +++ b/cmd/init_tf_module_promise.go @@ -67,7 +67,7 @@ func InitFromTerraformModule(cmd *cobra.Command, args []string) error { if moduleRegistryVersion != "" && !internal.IsTerraformRegistrySource(moduleSource) { fmt.Println("Error: --module-registry-version is only valid for Terraform registry sources like 'namespace/name/provider'. For git URLs (e.g., 'git::https://github.com/org/repo.git?ref=v1.0.0') or local paths, embed the ref directly in --module-source instead.") - return nil + return fmt.Errorf("invalid use of --module-registry-version with non-registry source") } variables, err := internal.GetVariablesFromModule(moduleSource, moduleRegistryVersion) diff --git a/cmd/kratix/main.go b/cmd/kratix/main.go index 70073cf..e3f97ea 100644 --- a/cmd/kratix/main.go +++ b/cmd/kratix/main.go @@ -21,7 +21,7 @@ import ( ) // needs to be updated before cutting a new release to desired version and should match the next version in .release-please-manifest.json -var version = "0.11.0" +var version = "0.12.0" func main() { cmd.Execute(version) diff --git a/test/init_tf_module_sources_test.go b/test/init_tf_module_sources_test.go index d4b3333..fb6df34 100644 --- a/test/init_tf_module_sources_test.go +++ b/test/init_tf_module_sources_test.go @@ -39,7 +39,6 @@ var _ = Describe("InitTerraformPromise source integration", func() { r := &runner{ exitCode: 0, - Path: "/opt/homebrew/bin:" + os.Getenv("PATH"), flags: map[string]string{ "--group": "example.com", "--kind": "Example", From b4359eec62d8ec8cf12d831f23694a52d1f832bd Mon Sep 17 00:00:00 2001 From: Jake Date: Wed, 31 Dec 2025 17:00:57 +0000 Subject: [PATCH 16/17] use next released version of init tf module promise --- cmd/init_tf_module_promise.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/init_tf_module_promise.go b/cmd/init_tf_module_promise.go index 2b04576..817247b 100644 --- a/cmd/init_tf_module_promise.go +++ b/cmd/init_tf_module_promise.go @@ -156,7 +156,7 @@ func generateTerraformModuleResourceConfigurePipeline(moduleRegistryVersion stri "containers": []any{ v1alpha1.Container{ Name: "terraform-generate", - Image: "ghcr.io/syntasso/kratix-cli/terraform-generate:v0.2.0", + Image: "ghcr.io/syntasso/kratix-cli/terraform-generate:v0.4.0", Env: envs, }, }, From db25e11c2d6580894644488fa2622a5399678ca3 Mon Sep 17 00:00:00 2001 From: Jake Date: Wed, 31 Dec 2025 17:12:40 +0000 Subject: [PATCH 17/17] fix test version --- test/assets/terraform/expected-output-vpc/promise.yaml | 2 +- .../workflows/resource/configure/workflow.yaml | 2 +- test/assets/terraform/expected-output/promise.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/test/assets/terraform/expected-output-vpc/promise.yaml b/test/assets/terraform/expected-output-vpc/promise.yaml index 511f88b..6c8be3d 100644 --- a/test/assets/terraform/expected-output-vpc/promise.yaml +++ b/test/assets/terraform/expected-output-vpc/promise.yaml @@ -79,6 +79,6 @@ spec: - env: - name: MODULE_SOURCE value: git::https://github.com/GoogleCloudPlatform/cloud-foundation-fabric.git//modules/api-gateway?ref=v49.1.0 - image: ghcr.io/syntasso/kratix-cli/terraform-generate:v0.2.0 + image: ghcr.io/syntasso/kratix-cli/terraform-generate:v0.4.0 name: terraform-generate diff --git a/test/assets/terraform/expected-output-with-split/workflows/resource/configure/workflow.yaml b/test/assets/terraform/expected-output-with-split/workflows/resource/configure/workflow.yaml index 59cfb82..d6567f7 100644 --- a/test/assets/terraform/expected-output-with-split/workflows/resource/configure/workflow.yaml +++ b/test/assets/terraform/expected-output-with-split/workflows/resource/configure/workflow.yaml @@ -7,5 +7,5 @@ - env: - name: MODULE_SOURCE value: git::https://github.com/GoogleCloudPlatform/terraform-google-cloud-run?ref=v0.16.4 - image: ghcr.io/syntasso/kratix-cli/terraform-generate:v0.2.0 + image: ghcr.io/syntasso/kratix-cli/terraform-generate:v0.4.0 name: terraform-generate diff --git a/test/assets/terraform/expected-output/promise.yaml b/test/assets/terraform/expected-output/promise.yaml index 1f10470..e52315a 100644 --- a/test/assets/terraform/expected-output/promise.yaml +++ b/test/assets/terraform/expected-output/promise.yaml @@ -214,6 +214,6 @@ spec: - env: - name: MODULE_SOURCE value: git::https://github.com/GoogleCloudPlatform/terraform-google-cloud-run?ref=v0.16.4 - image: ghcr.io/syntasso/kratix-cli/terraform-generate:v0.2.0 + image: ghcr.io/syntasso/kratix-cli/terraform-generate:v0.4.0 name: terraform-generate