forked from skildops/aws-iam-key-rotator
-
Notifications
You must be signed in to change notification settings - Fork 0
/
vars.tf
202 lines (169 loc) · 6.25 KB
/
vars.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
variable "region" {
type = string
default = "us-east-1"
description = "AWS region in which you want to create resources"
}
variable "profile" {
type = string
default = null
description = "AWS CLI profile to use as authentication method"
}
variable "access_key" {
type = string
default = null
description = "AWS access key to use as authentication method"
}
variable "secret_key" {
type = string
default = null
description = "AWS secret key to use as authentication method"
}
variable "session_token" {
type = string
default = null
description = "AWS session token to use as authentication method"
}
variable "table_name" {
type = string
default = "iam-key-rotator"
description = "Name of dynamodb table to store access keys to be deleted"
}
variable "enable_sse" {
type = bool
default = true
description = "Whether to enable server-side encryption for dynamodb table"
}
variable "kms_key_arn" {
type = string
default = null
description = "ARN of customer owned CMK to use instead of AWS owned key for dynamodb table"
}
variable "enable_pitr" {
type = bool
default = false
description = "Enable point-in time recovery for dynamodb table"
}
variable "key_creator_role_name" {
type = string
default = "iam-key-creator"
description = "Name for IAM role to assocaite with key creator lambda function"
}
variable "key_creator_function_name" {
type = string
default = "iam-key-creator"
description = "Name for lambda function responsible for creating new access key pair"
}
variable "key_destructor_role_name" {
type = string
default = "iam-key-destructor"
description = "Name for IAM role to assocaite with key destructor lambda function"
}
variable "key_destructor_function_name" {
type = string
default = "iam-key-destructor"
description = "Name for lambda function responsible for deleting existing access key pair"
}
variable "cron_expression" {
type = string
default = "0 12 * * ? *"
description = "[CRON expression](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-schedule-expressions.html) to determine how frequently `key creator` function will be invoked to check if new key pair needs to be generated for an IAM user"
}
variable "lambda_runtime" {
type = string
default = "python3.11"
description = "Lambda runtime to use for code execution for both creator and destructor function"
}
variable "function_memory_size" {
type = number
default = 128
description = "Amount of memory to allocate to both creator and destructor function"
}
variable "function_timeout" {
type = number
default = 10
description = "Timeout to set for both creator and destructor function"
}
variable "reserved_concurrent_executions" {
type = number
default = -1
description = "Amount of reserved concurrent executions for this lambda function. A value of `0` disables lambda from being triggered and `-1` removes any concurrency limitations"
}
variable "xray_tracing_mode" {
type = string
default = "PassThrough"
description = "Whether to sample and trace a subset of incoming requests with AWS X-Ray. **Possible values:** `PassThrough` and `Active`"
}
variable "tags" {
type = map(string)
default = {}
description = "Key value pair to assign to resources"
}
variable "rotate_after_days" {
type = number
default = 85
description = "Days after which a new access key pair should be generated. **Note:** If `IKR:ROTATE_AFTER_DAYS` tag is set for the IAM user, this is ignored"
}
variable "delete_after_days" {
type = number
default = 5
description = "No. of days to wait for deleting existing key pair after a new key pair is generated. **Note:** If `IKR:DELETE_AFTER_DAYS` tag is set for the IAM user, this is ignored"
}
variable "retry_after_mins" {
type = number
default = 5
description = "In case lambda fails to delete the old key, how long should it wait before the next try"
}
variable "encrypt_key_pair" {
type = bool
default = true
description = "Whether to share encrypted version of key pair with the user instead of sending them in plain text. The encryption key will be stored in SSM paramter store in `/ikr/secret/iam/USERNAME` format"
}
variable "mail_client" {
type = string
default = "ses"
description = "Mail client to use. **Supported Clients:** smtp, ses and mailgun"
}
variable "mail_from" {
type = string
description = "Email address which should be used for sending mails. **Note:** Prior setup of mail client is required"
}
variable "smtp_protocol" {
type = string
default = null
description = "Security protocol to use for SMTP connection. **Supported values:** ssl and tls. **Note:** Required if mail client is set to smtp"
}
variable "smtp_port" {
type = number
default = null
description = "Secure port number to use for SMTP connection. **Note:** Required if mail client is set to smtp"
}
variable "smtp_server" {
type = string
default = null
description = "Host name of SMTP server. **Note:** Required if mail client is set to smtp"
}
variable "smtp_password" {
type = string
default = null
description = "Password to use with `mail_from` address for SMTP authentication. **Note:** Required if mail client is set to smtp"
}
variable "mailgun_api_url" {
type = string
default = null
description = "Mailgun API url for sending email. **Note:** Required if mail client is set to mailgun"
}
variable "mailgun_api_key" {
type = string
default = null
description = "API key for authenticating requests to Mailgun API. **Note:** Required if mail client is set to mailgun"
}
variable "cw_log_group_retention" {
type = number
default = 90
description = "Number of days to store the logs in a log group. Valid values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, and 0. To never expire the logs provide 0"
}
variable "cw_logs_kms_key_arn" {
type = string
default = null
description = "ARN of KMS key to use for encrypting CloudWatch logs at rest"
}