-
Notifications
You must be signed in to change notification settings - Fork 0
/
variables.tf
79 lines (68 loc) · 4.17 KB
/
variables.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
# ------------------------------------------------------------------------------
# Required parameters
#
# You must provide a value for each of these parameters.
# ------------------------------------------------------------------------------
variable "entity_name" {
description = "The name of the entity that the role is being created for (e.g. \"test-user\")."
nullable = false
type = string
}
variable "s3_bucket" {
description = "The name of the S3 bucket that the created role will be allowed access to (e.g. \"my-bucket\")."
nullable = false
type = string
}
# ------------------------------------------------------------------------------
# Optional parameters
#
# These parameters have reasonable defaults.
# ------------------------------------------------------------------------------
variable "account_ids" {
default = []
description = "AWS account IDs that are allowed to assume the role."
nullable = false
type = list(string)
}
variable "additional_role_tags" {
default = {}
description = "Tags to apply to the IAM role that allows access to the specified S3 buckets, in addition to the provider's default tags."
nullable = false
type = map(string)
}
variable "aws_region" {
default = "us-east-1"
description = "The AWS region where the non-global resources are to be provisioned (e.g. \"us-east-1\")."
nullable = false
type = string
}
variable "iam_usernames" {
default = ["root"]
description = "The list of IAM usernames allowed to assume the role. If not provided, defaults to allowing any user in the specified account(s). Note that including \"root\" in this list will override any other usernames in the list."
nullable = false
type = list(string)
}
variable "read_only" {
default = true
description = "A Boolean value indicating whether or not to make the role and policy read-only. If false then the role and policy will allow write permissions."
nullable = false
type = bool
}
variable "role_description" {
default = "Allows %s access to S3 bucket %s required for %s."
description = "The description to associate with the IAM role (as well as the corresponding policy) that allows access to the specified object(s) in the specified S3 buckets. Note that the first \"%s\" in this value will get replaced with either \"read-only\" or \"read-write\" depending on the value of read_only, the second \"%s\" will get replaced with the s3_bucket variable, and the third \"%s\" will get replaced with the entity_name variable. If there are less than three instances of \"%s\" present in this value, no replacements will be made and the value will be used as is. Including more than three instances of \"%s\" in this value will result in a Terraform error, so don't do that."
nullable = false
type = string
}
variable "role_name" {
default = "%s-%s-%s"
description = "The name to assign the IAM role (as well as the corresponding policy) that allows access to the specified S3 buckets. Note that the first \"%s\" in this value will get replaced with the s3_bucket variable and the third \"%s\" will get replaced with the entity_name variable. The second \"%s\" in this value will get replaced by \"ReadOnly\" if read_only is true and \"ReadWrite\" otherwise. If there are less than three instances of \"%s\" present in this value then no replacements will be made and the value will be used as is. Including more than three instances of \"%s\" in this value will result in a Terraform error, so don't do that. If the role name is longer than the current AWS limit of 64 characters (either as-is or after \"%s\" replacements), the role name will be truncated to the first 64 characters."
nullable = false
type = string
}
variable "s3_objects" {
default = ["*"]
description = "A list specifying the objects in the S3 bucket that the created role will be allowed to access (e.g. [\"my-file\", \"projects\\example\\*\"]). AWS-supported S3 ARN wildcards (* and ?) can be used, but full regular expressions can not. If not specified, the role will be allowed to access any object in the bucket."
nullable = false
type = list(string)
}