// Copyright IBM Corp. 2016, 2025
// SPDX-License-Identifier: BUSL-1.1

variable "artifactory_token" {
  type        = string
  description = "The token to use when authenticating to artifactory"
  default     = null
  sensitive   = true
}

variable "artifactory_host" {
  type        = string
  description = "The artifactory host to search for vault artifacts"
  default     = "https://artifactory.hashicorp.engineering/artifactory"
}

variable "artifactory_repo" {
  type        = string
  description = "The artifactory repo to search for vault artifacts"
  default     = "hashicorp-crt-stable-local*"
}

variable "aws_region" {
  description = "The AWS region where we'll create infrastructure"
  type        = string
  default     = "us-east-1"
}

variable "aws_ssh_keypair_name" {
  description = "The AWS keypair to use for SSH"
  type        = string
  default     = "enos-ci-ssh-key"
}

variable "aws_ssh_private_key_path" {
  description = "The path to the AWS keypair private key"
  type        = string
  default     = "./support/private_key.pem"
}

variable "backend_edition" {
  description = "The backend release edition if applicable"
  type        = string
  default     = "ce" // or "ent"
}

variable "backend_instance_type" {
  description = "The instance type to use for the Vault backend. Must be arm64/nitro compatible"
  type        = string
  default     = "t4g.small"
}

variable "backend_license_path" {
  description = "The license for the backend if applicable (Consul Enterprise)"
  type        = string
  default     = null
}

variable "backend_log_level" {
  description = "The server log level for the backend. Supported values include 'trace', 'debug', 'info', 'warn', 'error'"
  type        = string
  default     = "trace"
}

variable "blackbox_test_filter" {
  type        = list(string)
  description = "Override list of specific blackbox test packages (e.g., ['core', 'secrets']) or test names (e.g., ['TestUnsealedStatus']). Empty list uses scenario defaults. Package names are converted to directory paths automatically."
  default     = []
}

variable "distro_version_amzn" {
  description = "The version of Amazon Linux 2 to use"
  type        = string
  default     = "2023" // or "2", though pkcs11 has not been tested with 2
}

variable "distro_version_rhel" {
  description = "The version of RedHat Enterprise Linux to use"
  type        = string
  default     = "10.1" // or "8.10", "9.7"
}

variable "distro_version_sles" {
  description = "The version of SUSE Enterprise Linux to use"
  type        = string
  default     = "16.0" // or "15.7"
}

variable "distro_version_ubuntu" {
  description = "The version of Ubuntu Linux to use"
  type        = string
  default     = "24.04" // or "22.04"
}

variable "project_name" {
  description = "The description of the project"
  type        = string
  default     = "vault-enos-integration"
}

variable "tags" {
  description = "Tags that will be applied to infrastructure resources that support tagging"
  type        = map(string)
  default     = null
}

variable "terraform_plugin_cache_dir" {
  description = "The directory to cache Terraform modules and providers"
  type        = string
  default     = null
}

variable "ui_test_filter" {
  type        = string
  description = "A test filter to limit the ui tests to execute. Will be appended to the ember test command as '-f=\"<filter>\"'"
  default     = null
}

variable "ui_run_tests" {
  type        = bool
  description = "Whether to run the UI tests or not. If set to false a cluster will be created but no tests will be run"
  default     = true
}

variable "vault_artifact_type" {
  description = "The type of Vault artifact to use when installing Vault from artifactory. It should be 'package' for .deb or .rpm package and 'bundle' for .zip bundles"
  default     = "bundle"
}

variable "vault_artifact_path" {
  description = "Path to CRT generated or local vault.zip bundle"
  type        = string
  default     = "/tmp/vault.zip"
}

variable "vault_build_date" {
  description = "The build date for Vault artifact"
  type        = string
  default     = ""
}

variable "vault_enable_audit_devices" {
  description = "If true every audit device will be enabled"
  type        = bool
  default     = true
}

variable "vault_install_dir" {
  type        = string
  description = "The directory where the Vault binary will be installed"
  default     = "/opt/vault/bin"
}

variable "vault_instance_count" {
  description = "How many instances to create for the Vault cluster"
  type        = number
  default     = 3
}

variable "vault_license_path" {
  description = "The path to a valid Vault enterprise edition license. This is only required for non-ce editions"
  type        = string
  default     = null
}

variable "vault_ibm_license_path" {
  description = "The path to a valid IBM PAO license. This is only required when testing a license update during the upgrade scenario"
  type        = string
  default     = null
}

variable "vault_ibm_license_edition" {
  description = "The edition to select when using an IBM PAO license. This should match the edition of a valid Vault entitlement in the license located at var.vault_ibm_license_path."
  type        = string
  default     = null
}

variable "vault_local_build_tags" {
  description = "The build tags to pass to the Go compiler for builder:local variants"
  type        = list(string)
  default     = null
}

variable "vault_log_level" {
  description = "The server log level for Vault logs. Supported values (in order of detail) are trace, debug, info, warn, and err."
  type        = string
  default     = "trace"
}

variable "vault_product_version" {
  description = "The version of Vault we are testing"
  type        = string
  default     = null
}

variable "vault_radar_license_path" {
  description = "The license for vault-radar which is used to verify the audit log"
  type        = string
  default     = null
}

variable "vault_revision" {
  description = "The git sha of Vault artifact we are testing"
  type        = string
  default     = null
}

variable "vault_upgrade_initial_version" {
  description = "The Vault release to deploy before upgrading"
  type        = string
  default     = "1.13.13"
}

variable "verify_aws_secrets_engine" {
  description = "If true we'll verify AWS secrets engines behavior. Because of user creation restrictions in Doormat AWS accounts, only turn this on for CI, as it depends on resources that exist only in those accounts"
  type        = bool
  default     = false
}

variable "verify_kmip_secrets_engine" {
  description = "If true we'll verify KMIP secrets engines behavior"
  type        = bool
  default     = true
}

variable "verify_ldap_secrets_engine" {
  description = "If true we'll verify LDAP secrets engines behavior"
  type        = bool
  default     = true
}

variable "verify_log_secrets" {
  description = "If true and var.vault_enable_audit_devices is true we'll verify that the audit log does not contain unencrypted secrets. Requires var.vault_radar_license_path to be set to a valid license file."
  type        = bool
  default     = false // Only because it requires a Vault Radar license
}