mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-16 11:37:04 +02:00
Code Issues Projects Releases Wiki Activity
2b51e09bda
vault/enos/modules/start_vault/variables.tf
Ryan Cragun a46def288f
[QT-616] Add seal_ha enos scenario (#23812) 
Add support for testing Vault Enterprise with HA seal support by adding
a new `seal_ha` scenario that configures more than one seal type for a
Vault cluster. We also extend existing scenarios to support testing
with or without the Seal HA code path enabled.

* Extract starting vault into a separate enos module to allow for better
  handling of complex clusters that need to be started more than once.
* Extract seal key creation into a separate module and provide it to
  target modules. This allows us to create more than one seal key and
  associate it with instances. This also allows us to forego creating
  keys when using shamir seals.
* [QT-615] Add support for configuring more that one seal type to
  `vault_cluster` module.
* [QT-616] Add `seal_ha` scenario
* [QT-625] Add `seal_ha_beta` variant to existing scenarios to test with
  both code paths.
* Unpin action-setup-terraform
* Add `kms:TagResource` to service user IAM profile

Signed-off-by: Ryan Cragun <me@ryan.ec>
2023-10-26 15:13:30 -06:00

126 lines
3.3 KiB
HCL
Raw Blame History

# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
variable "cluster_name" {
type = string
description = "The Vault cluster name"
}
variable "config_dir" {
type = string
description = "The directory to use for Vault configuration"
default = "/etc/vault.d"
}
variable "environment" {
description = "Optional Vault configuration environment variables to set starting Vault"
type = map(string)
default = null
}
variable "install_dir" {
type = string
description = "The directory where the vault binary will be installed"
default = "/opt/vault/bin"
}
variable "license" {
type = string
sensitive = true
description = "The value of the Vault license"
default = null
}
variable "log_level" {
type = string
description = "The vault service log level"
default = "info"
validation {
condition = contains(["trace", "debug", "info", "warn", "error"], var.log_level)
error_message = "The log_level must be one of 'trace', 'debug', 'info', 'warn', or 'error'."
}
}
variable "manage_service" {
type = bool
description = "Manage the Vault service users and systemd unit. Disable this to use configuration in RPM and Debian packages"
default = true
}
variable "seal_ha_beta" {
description = "Enable using Seal HA on clusters that meet minimum version requirements and are enterprise editions"
default = true
}
variable "seal_key_name" {
type = string
description = "The auto-unseal key name"
default = null
}
variable "seal_key_name_secondary" {
type = string
description = "The secondary auto-unseal key name"
default = null
}
variable "seal_type" {
type = string
description = "The method by which to unseal the Vault cluster"
default = "awskms"
validation {
condition = contains(["awskms", "shamir"], var.seal_type)
error_message = "The seal_type must be either awskms or shamir. No other unseal methods are supported."
}
}
variable "seal_type_secondary" {
type = string
description = "A secondary HA seal method. Only supported in Vault Enterprise >= 1.15"
default = "none"
validation {
condition = contains(["awskms", "none"], var.seal_type_secondary)
error_message = "The secondary_seal_type must be 'awskms' or 'none'. No other secondary unseal methods are supported."
}
}
variable "service_username" {
type = string
description = "The host username to own the vault service"
default = "vault"
}
variable "storage_backend" {
type = string
description = "The storage backend to use"
default = "raft"
validation {
condition = contains(["raft", "consul"], var.storage_backend)
error_message = "The storage_backend must be either raft or consul. No other storage backends are supported."
}
}
variable "storage_backend_attrs" {
type = map(any)
description = "An optional set of key value pairs to inject into the storage block"
default = {}
}
variable "storage_node_prefix" {
type = string
description = "A prefix to use for each node in the Vault storage configuration"
default = "node"
}
variable "target_hosts" {
description = "The target machines host addresses to use for the Vault cluster"
type = map(object({
private_ip = string
public_ip = string
}))
}
Reference in New Issue View Git Blame Copy Permalink