mirror of
https://github.com/empayre/fleet.git
synced 2024-11-06 17:05:18 +00:00
e78554540f
# Checklist for submitter If some of the following don't apply, delete the relevant line. - [ ] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [ ] Documented any permissions changes - [ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features. - [ ] Added/updated tests - [ ] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).
387 lines
13 KiB
HCL
387 lines
13 KiB
HCL
variable "vpc" {
|
|
type = object({
|
|
name = optional(string, "fleet")
|
|
cidr = optional(string, "10.10.0.0/16")
|
|
azs = optional(list(string), ["us-east-2a", "us-east-2b", "us-east-2c"])
|
|
private_subnets = optional(list(string), ["10.10.1.0/24", "10.10.2.0/24", "10.10.3.0/24"])
|
|
public_subnets = optional(list(string), ["10.10.11.0/24", "10.10.12.0/24", "10.10.13.0/24"])
|
|
database_subnets = optional(list(string), ["10.10.21.0/24", "10.10.22.0/24", "10.10.23.0/24"])
|
|
elasticache_subnets = optional(list(string), ["10.10.31.0/24", "10.10.32.0/24", "10.10.33.0/24"])
|
|
|
|
create_database_subnet_group = optional(bool, false)
|
|
create_database_subnet_route_table = optional(bool, true)
|
|
create_elasticache_subnet_group = optional(bool, true)
|
|
create_elasticache_subnet_route_table = optional(bool, true)
|
|
enable_vpn_gateway = optional(bool, false)
|
|
one_nat_gateway_per_az = optional(bool, false)
|
|
single_nat_gateway = optional(bool, true)
|
|
enable_nat_gateway = optional(bool, true)
|
|
|
|
enable_flow_log = optional(bool, false)
|
|
create_flow_log_cloudwatch_log_group = optional(bool, false)
|
|
create_flow_log_cloudwatch_iam_role = optional(bool, false)
|
|
flow_log_max_aggregation_interval = optional(number, 600)
|
|
flow_log_cloudwatch_log_group_name_prefix = optional(string, "/aws/vpc-flow-log/")
|
|
flow_log_cloudwatch_log_group_name_suffix = optional(string, "")
|
|
vpc_flow_log_tags = optional(map(string), {})
|
|
})
|
|
default = {
|
|
name = "fleet"
|
|
cidr = "10.10.0.0/16"
|
|
azs = ["us-east-2a", "us-east-2b", "us-east-2c"]
|
|
private_subnets = ["10.10.1.0/24", "10.10.2.0/24", "10.10.3.0/24"]
|
|
public_subnets = ["10.10.11.0/24", "10.10.12.0/24", "10.10.13.0/24"]
|
|
database_subnets = ["10.10.21.0/24", "10.10.22.0/24", "10.10.23.0/24"]
|
|
elasticache_subnets = ["10.10.31.0/24", "10.10.32.0/24", "10.10.33.0/24"]
|
|
|
|
create_database_subnet_group = false
|
|
create_database_subnet_route_table = true
|
|
create_elasticache_subnet_group = true
|
|
create_elasticache_subnet_route_table = true
|
|
enable_vpn_gateway = false
|
|
one_nat_gateway_per_az = false
|
|
single_nat_gateway = true
|
|
enable_nat_gateway = true
|
|
|
|
enable_flow_log = false
|
|
create_flow_log_cloudwatch_log_group = false
|
|
create_flow_log_cloudwatch_iam_role = false
|
|
flow_log_max_aggregation_interval = 600
|
|
flow_log_cloudwatch_log_group_name_prefix = "/aws/vpc-flow-log/"
|
|
flow_log_cloudwatch_log_group_name_suffix = ""
|
|
vpc_flow_log_tags = {}
|
|
}
|
|
}
|
|
|
|
variable "certificate_arn" {
|
|
type = string
|
|
}
|
|
|
|
variable "rds_config" {
|
|
type = object({
|
|
name = optional(string, "fleet")
|
|
engine_version = optional(string, "8.0.mysql_aurora.3.02.2")
|
|
instance_class = optional(string, "db.t4g.large")
|
|
subnets = optional(list(string), [])
|
|
allowed_security_groups = optional(list(string), [])
|
|
allowed_cidr_blocks = optional(list(string), [])
|
|
apply_immediately = optional(bool, true)
|
|
monitoring_interval = optional(number, 10)
|
|
db_parameter_group_name = optional(string)
|
|
db_parameters = optional(map(string), {})
|
|
db_cluster_parameter_group_name = optional(string)
|
|
db_cluster_parameters = optional(map(string), {})
|
|
enabled_cloudwatch_logs_exports = optional(list(string), [])
|
|
master_username = optional(string, "fleet")
|
|
snapshot_identifier = optional(string)
|
|
cluster_tags = optional(map(string), {})
|
|
})
|
|
default = {
|
|
name = "fleet"
|
|
engine_version = "8.0.mysql_aurora.3.02.2"
|
|
instance_class = "db.t4g.large"
|
|
subnets = []
|
|
allowed_security_groups = []
|
|
allowed_cidr_blocks = []
|
|
apply_immediately = true
|
|
monitoring_interval = 10
|
|
db_parameter_group_name = null
|
|
db_parameters = {}
|
|
db_cluster_parameter_group_name = null
|
|
db_cluster_parameters = {}
|
|
enabled_cloudwatch_logs_exports = []
|
|
master_username = "fleet"
|
|
snapshot_identifier = null
|
|
cluster_tags = {}
|
|
}
|
|
description = "The config for the terraform-aws-modules/rds-aurora/aws module"
|
|
nullable = false
|
|
}
|
|
|
|
variable "redis_config" {
|
|
type = object({
|
|
name = optional(string, "fleet")
|
|
replication_group_id = optional(string)
|
|
elasticache_subnet_group_name = optional(string)
|
|
allowed_security_group_ids = optional(list(string), [])
|
|
subnets = optional(list(string))
|
|
availability_zones = optional(list(string))
|
|
cluster_size = optional(number, 3)
|
|
instance_type = optional(string, "cache.m5.large")
|
|
apply_immediately = optional(bool, true)
|
|
automatic_failover_enabled = optional(bool, false)
|
|
engine_version = optional(string, "6.x")
|
|
family = optional(string, "redis6.x")
|
|
at_rest_encryption_enabled = optional(bool, true)
|
|
transit_encryption_enabled = optional(bool, true)
|
|
parameter = optional(list(object({
|
|
name = string
|
|
value = string
|
|
})), [])
|
|
tags = optional(map(string), {})
|
|
})
|
|
default = {
|
|
name = "fleet"
|
|
replication_group_id = null
|
|
elasticache_subnet_group_name = null
|
|
allowed_security_group_ids = []
|
|
subnets = null
|
|
availability_zones = null
|
|
cluster_size = 3
|
|
instance_type = "cache.m5.large"
|
|
apply_immediately = true
|
|
automatic_failover_enabled = false
|
|
engine_version = "6.x"
|
|
family = "redis6.x"
|
|
at_rest_encryption_enabled = true
|
|
transit_encryption_enabled = true
|
|
parameter = []
|
|
tags = {}
|
|
}
|
|
}
|
|
|
|
variable "ecs_cluster" {
|
|
type = object({
|
|
autoscaling_capacity_providers = optional(any, {})
|
|
cluster_configuration = optional(any, {
|
|
execute_command_configuration = {
|
|
logging = "OVERRIDE"
|
|
log_configuration = {
|
|
cloud_watch_log_group_name = "/aws/ecs/aws-ec2"
|
|
}
|
|
}
|
|
})
|
|
cluster_name = optional(string, "fleet")
|
|
cluster_settings = optional(map(string), {
|
|
"name" : "containerInsights",
|
|
"value" : "enabled",
|
|
})
|
|
create = optional(bool, true)
|
|
default_capacity_provider_use_fargate = optional(bool, true)
|
|
fargate_capacity_providers = optional(any, {
|
|
FARGATE = {
|
|
default_capacity_provider_strategy = {
|
|
weight = 100
|
|
}
|
|
}
|
|
FARGATE_SPOT = {
|
|
default_capacity_provider_strategy = {
|
|
weight = 0
|
|
}
|
|
}
|
|
})
|
|
tags = optional(map(string))
|
|
})
|
|
default = {
|
|
autoscaling_capacity_providers = {}
|
|
cluster_configuration = {
|
|
execute_command_configuration = {
|
|
logging = "OVERRIDE"
|
|
log_configuration = {
|
|
cloud_watch_log_group_name = "/aws/ecs/aws-ec2"
|
|
}
|
|
}
|
|
}
|
|
cluster_name = "fleet"
|
|
cluster_settings = {
|
|
"name" : "containerInsights",
|
|
"value" : "enabled",
|
|
}
|
|
create = true
|
|
default_capacity_provider_use_fargate = true
|
|
fargate_capacity_providers = {
|
|
FARGATE = {
|
|
default_capacity_provider_strategy = {
|
|
weight = 100
|
|
}
|
|
}
|
|
FARGATE_SPOT = {
|
|
default_capacity_provider_strategy = {
|
|
weight = 0
|
|
}
|
|
}
|
|
}
|
|
tags = {}
|
|
}
|
|
description = "The config for the terraform-aws-modules/ecs/aws module"
|
|
nullable = false
|
|
}
|
|
|
|
variable "fleet_config" {
|
|
type = object({
|
|
mem = optional(number, 4096)
|
|
cpu = optional(number, 512)
|
|
image = optional(string, "fleetdm/fleet:v4.22.1")
|
|
family = optional(string, "fleet")
|
|
sidecars = optional(list(any), [])
|
|
extra_environment_variables = optional(map(string), {})
|
|
extra_iam_policies = optional(list(string), [])
|
|
extra_execution_iam_policies = optional(list(string), [])
|
|
extra_secrets = optional(map(string), {})
|
|
security_groups = optional(list(string), null)
|
|
security_group_name = optional(string, "fleet")
|
|
iam_role_arn = optional(string, null)
|
|
service = optional(object({
|
|
name = optional(string, "fleet")
|
|
}), {
|
|
name = "fleet"
|
|
})
|
|
database = optional(object({
|
|
password_secret_arn = string
|
|
user = string
|
|
database = string
|
|
address = string
|
|
rr_address = optional(string, null)
|
|
}), {
|
|
password_secret_arn = null
|
|
user = null
|
|
database = null
|
|
address = null
|
|
rr_address = null
|
|
})
|
|
redis = optional(object({
|
|
address = string
|
|
use_tls = optional(bool, true)
|
|
}), {
|
|
address = null
|
|
use_tls = true
|
|
})
|
|
awslogs = optional(object({
|
|
name = optional(string, null)
|
|
region = optional(string, null)
|
|
create = optional(bool, true)
|
|
prefix = optional(string, "fleet")
|
|
retention = optional(number, 5)
|
|
}), {
|
|
name = null
|
|
region = null
|
|
prefix = "fleet"
|
|
retention = 5
|
|
})
|
|
loadbalancer = optional(object({
|
|
arn = string
|
|
}), {
|
|
arn = null
|
|
})
|
|
networking = optional(object({
|
|
subnets = list(string)
|
|
security_groups = optional(list(string), null)
|
|
}), {
|
|
subnets = null
|
|
security_groups = null
|
|
})
|
|
autoscaling = optional(object({
|
|
max_capacity = optional(number, 5)
|
|
min_capacity = optional(number, 1)
|
|
memory_tracking_target_value = optional(number, 80)
|
|
cpu_tracking_target_value = optional(number, 80)
|
|
}), {
|
|
max_capacity = 5
|
|
min_capacity = 1
|
|
memory_tracking_target_value = 80
|
|
cpu_tracking_target_value = 80
|
|
})
|
|
iam = optional(object({
|
|
role = optional(object({
|
|
name = optional(string, "fleet-role")
|
|
policy_name = optional(string, "fleet-iam-policy")
|
|
}), {
|
|
name = "fleet-role"
|
|
policy_name = "fleet-iam-policy"
|
|
})
|
|
execution = optional(object({
|
|
name = optional(string, "fleet-execution-role")
|
|
policy_name = optional(string, "fleet-execution-role")
|
|
}), {
|
|
name = "fleet-execution-role"
|
|
policy_name = "fleet-iam-policy-execution"
|
|
})
|
|
}), {
|
|
name = "fleetdm-execution-role"
|
|
})
|
|
})
|
|
default = {
|
|
mem = 512
|
|
cpu = 256
|
|
image = "fleetdm/fleet:v4.22.1"
|
|
family = "fleet"
|
|
sidecars = []
|
|
extra_environment_variables = {}
|
|
extra_iam_policies = []
|
|
extra_execution_iam_policies = []
|
|
extra_secrets = {}
|
|
security_groups = null
|
|
security_group_name = "fleet"
|
|
iam_role_arn = null
|
|
service = {
|
|
name = "fleet"
|
|
}
|
|
database = {
|
|
password_secret_arn = null
|
|
user = null
|
|
database = null
|
|
address = null
|
|
rr_address = null
|
|
}
|
|
redis = {
|
|
address = null
|
|
use_tls = true
|
|
}
|
|
awslogs = {
|
|
name = null
|
|
region = null
|
|
create = true
|
|
prefix = "fleet"
|
|
retention = 5
|
|
}
|
|
loadbalancer = {
|
|
arn = null
|
|
}
|
|
networking = {
|
|
subnets = null
|
|
security_groups = null
|
|
}
|
|
autoscaling = {
|
|
max_capacity = 5
|
|
min_capacity = 1
|
|
memory_tracking_target_value = 80
|
|
cpu_tracking_target_value = 80
|
|
}
|
|
iam = {
|
|
role = {
|
|
name = "fleet-role"
|
|
policy_name = "fleet-iam-policy"
|
|
}
|
|
execution = {
|
|
name = "fleet-execution-role"
|
|
policy_name = "fleet-iam-policy-execution"
|
|
}
|
|
}
|
|
}
|
|
description = "The configuration object for Fleet itself. Fields that default to null will have their respective resources created if not specified."
|
|
nullable = false
|
|
}
|
|
|
|
variable "migration_config" {
|
|
type = object({
|
|
mem = number
|
|
cpu = number
|
|
})
|
|
description = "The configuration object for Fleet's migration task."
|
|
nullable = false
|
|
default = {
|
|
mem = 2048
|
|
cpu = 1024
|
|
}
|
|
}
|
|
|
|
variable "alb_config" {
|
|
type = object({
|
|
name = optional(string, "fleet")
|
|
security_groups = optional(list(string), [])
|
|
access_logs = optional(map(string), {})
|
|
allowed_cidrs = optional(list(string), ["0.0.0.0/0"])
|
|
})
|
|
default = {}
|
|
}
|