diff --git a/modules/acm/.gitignore b/modules/acm/.gitignore index aee8cb674..ca3790e41 100644 --- a/modules/acm/.gitignore +++ b/modules/acm/.gitignore @@ -1,3 +1,5 @@ # This fill will be always downloaded by terraform local-exec command from gc bucket config-management-operator.yaml /terraform.tfvars +/apply.out +/local.tfvars diff --git a/modules/acm/README.md b/modules/acm/README.md index 996066766..ad34beda3 100644 --- a/modules/acm/README.md +++ b/modules/acm/README.md @@ -53,6 +53,8 @@ By default, this module will attempt to download the ACM operator from Google di | operator\_path | Path to the operator yaml config. If unset, will download from GCS releases. | string | `"null"` | no | | policy\_dir | Subfolder containing configs in ACM Git repo | string | n/a | yes | | project\_id | The project in which the resource belongs. | string | n/a | yes | +| secret\_type | git authentication secret type, is passed through to ConfigManagement spec.git.secretType. Overriden to value 'ssh' if `create_ssh_key` is true | string | `"ssh"` | no | +| skip\_gcloud\_download | Whether to skip downloading gcloud (assumes gcloud and kubectl already available outside the module) | bool | `"false"` | no | | ssh\_auth\_key | Key for Git authentication. Overrides 'create_ssh_key' variable. Can be set using 'file(path/to/file)'-function. | string | `"null"` | no | | sync\_branch | ACM repo Git branch | string | `"master"` | no | | sync\_repo | ACM Git repo address | string | n/a | yes | @@ -61,6 +63,6 @@ By default, this module will attempt to download the ACM operator from Google di | Name | Description | |------|-------------| -| git\_creds\_public | Public key of SSH keypair to allow the Anthos Operator to authenticate to your Git repository. | +| git\_creds\_public | Public key of SSH keypair to allow the Anthos Config Management Operator to authenticate to your Git repository. | diff --git a/modules/acm/main.tf b/modules/acm/main.tf index 694eddf62..40887807c 100644 --- a/modules/acm/main.tf +++ b/modules/acm/main.tf @@ -14,87 +14,27 @@ * limitations under the License. */ -locals { - cluster_endpoint = "https://${var.cluster_endpoint}" - token = data.google_client_config.default.access_token - cluster_ca_certificate = data.google_container_cluster.primary.master_auth.0.cluster_ca_certificate - private_key = var.create_ssh_key && var.ssh_auth_key == null ? tls_private_key.git_creds[0].private_key_pem : var.ssh_auth_key - download_operator = var.operator_path == null ? true : false - operator_path = local.download_operator ? "${path.module}/config-management-operator.yaml" : var.operator_path -} - -data "google_container_cluster" "primary" { - name = var.cluster_name - project = var.project_id - location = var.location -} - -data "google_client_config" "default" { -} - -resource "tls_private_key" "git_creds" { - count = var.create_ssh_key ? 1 : 0 - algorithm = "RSA" - rsa_bits = 4096 -} - -module "acm_operator_config" { - source = "terraform-google-modules/gcloud/google" - version = "~> 0.5" - enabled = local.download_operator - - create_cmd_entrypoint = "gsutil" - create_cmd_body = "cp gs://config-management-release/released/latest/config-management-operator.yaml ${path.module}/config-management-operator.yaml" - destroy_cmd_entrypoint = "rm" - destroy_cmd_body = "-f ${path.module}/config-management-operator.yaml" -} - module "acm_operator" { - source = "terraform-google-modules/gcloud/google" - version = "~> 0.5" - module_depends_on = [module.acm_operator_config.wait, data.google_client_config.default.project, data.google_container_cluster.primary.name] - additional_components = ["kubectl"] - - create_cmd_entrypoint = "${path.module}/scripts/kubectl_wrapper.sh" - create_cmd_body = "${local.cluster_endpoint} ${local.token} ${local.cluster_ca_certificate} kubectl apply -f ${local.operator_path}" - destroy_cmd_entrypoint = "${path.module}/scripts/kubectl_wrapper.sh" - destroy_cmd_body = "${local.cluster_endpoint} ${local.token} ${local.cluster_ca_certificate} kubectl delete -f ${local.operator_path}" -} - -module "git_creds_secret" { - source = "terraform-google-modules/gcloud/google" - version = "~> 0.5" - module_depends_on = [module.acm_operator.wait] - additional_components = ["kubectl"] - - create_cmd_entrypoint = "${path.module}/scripts/kubectl_wrapper.sh" - create_cmd_body = "${local.cluster_endpoint} ${local.token} ${local.cluster_ca_certificate} kubectl create secret generic git-creds -n=config-management-system --from-literal=ssh='${local.private_key}'" - destroy_cmd_entrypoint = "${path.module}/scripts/kubectl_wrapper.sh" - destroy_cmd_body = "${local.cluster_endpoint} ${local.token} ${local.cluster_ca_certificate} kubectl delete secret git-creds -n=config-management-system" -} - -data "template_file" "acm_config" { - template = file("${path.module}/templates/acm-config.yml.tpl") - - vars = { - cluster_name = var.cluster_name - sync_repo = var.sync_repo - sync_branch = var.sync_branch - policy_dir = var.policy_dir - secret_type = var.create_ssh_key ? "ssh" : "none" - enable_policy_controller = var.enable_policy_controller ? "true" : "false" - install_template_library = var.install_template_library ? "true" : "false" - } -} - -module "acm_config" { - source = "terraform-google-modules/gcloud/google" - version = "~> 0.5" - module_depends_on = [module.acm_operator.wait, module.git_creds_secret.wait] - additional_components = ["kubectl"] - create_cmd_entrypoint = "echo" - create_cmd_body = "'${data.template_file.acm_config.rendered}' | ${path.module}/scripts/kubectl_wrapper.sh ${local.cluster_endpoint} ${local.token} ${local.cluster_ca_certificate} kubectl apply -f -" - destroy_cmd_entrypoint = "echo" - destroy_cmd_body = "'${data.template_file.acm_config.rendered}' | ${path.module}/scripts/kubectl_wrapper.sh ${local.cluster_endpoint} ${local.token} ${local.cluster_ca_certificate} kubectl delete -f -" + source = "../k8s-operator-crd-support" + + cluster_name = var.cluster_name + project_id = var.project_id + location = var.location + operator_path = var.operator_path + sync_repo = var.sync_repo + sync_branch = var.sync_branch + policy_dir = var.policy_dir + cluster_endpoint = var.cluster_endpoint + create_ssh_key = var.create_ssh_key + secret_type = var.secret_type + ssh_auth_key = var.ssh_auth_key + enable_policy_controller = var.enable_policy_controller + install_template_library = var.install_template_library + skip_gcloud_download = var.skip_gcloud_download + + operator_latest_manifest_url = "gs://config-management-release/released/latest/config-management-operator.yaml" + operator_cr_template_path = "${path.module}/templates/acm-config.yml.tpl" + operator_credential_namespace = "config-management-system" + operator_credential_name = "git-creds" } diff --git a/modules/acm/outputs.tf b/modules/acm/outputs.tf index 1945ba4f5..5a1bdd47e 100644 --- a/modules/acm/outputs.tf +++ b/modules/acm/outputs.tf @@ -15,7 +15,6 @@ */ output "git_creds_public" { - description = "Public key of SSH keypair to allow the Anthos Operator to authenticate to your Git repository." - value = var.create_ssh_key ? tls_private_key.git_creds.*.public_key_openssh : null + description = "Public key of SSH keypair to allow the Anthos Config Management Operator to authenticate to your Git repository." + value = module.acm_operator.git_creds_public } - diff --git a/modules/acm/variables.tf b/modules/acm/variables.tf index d56f20b07..c03937eb0 100644 --- a/modules/acm/variables.tf +++ b/modules/acm/variables.tf @@ -62,6 +62,12 @@ variable "create_ssh_key" { default = true } +variable "secret_type" { + description = "git authentication secret type, is passed through to ConfigManagement spec.git.secretType. Overriden to value 'ssh' if `create_ssh_key` is true" + type = string + default = "ssh" +} + variable "ssh_auth_key" { description = "Key for Git authentication. Overrides 'create_ssh_key' variable. Can be set using 'file(path/to/file)'-function." type = string @@ -79,3 +85,9 @@ variable "install_template_library" { type = bool default = true } + +variable "skip_gcloud_download" { + description = "Whether to skip downloading gcloud (assumes gcloud and kubectl already available outside the module)" + type = bool + default = false +} diff --git a/modules/config-sync/.gitignore b/modules/config-sync/.gitignore new file mode 100644 index 000000000..ca3790e41 --- /dev/null +++ b/modules/config-sync/.gitignore @@ -0,0 +1,5 @@ +# This fill will be always downloaded by terraform local-exec command from gc bucket +config-management-operator.yaml +/terraform.tfvars +/apply.out +/local.tfvars diff --git a/modules/config-sync/README.md b/modules/config-sync/README.md new file mode 100644 index 000000000..706d41b12 --- /dev/null +++ b/modules/config-sync/README.md @@ -0,0 +1,69 @@ +# Terraform Kubernetes Engine Config Sync Submodule + +This module installs [Config Sync](https://cloud.google.com/kubernetes-engine/docs/add-on/config-sync) in a Kubernetes cluster. + +Specifically, this module automates the following steps for [installing Config +Sync](https://cloud.google.com/kubernetes-engine/docs/add-on/config-sync/how-to/installing): +1. Installing the Config Sync Operator manifest onto your cluster. +2. Using an existing or generating a new SSH key for accessing Git and providing it to the Operator +3. Configuring the Operator to connect to your git repository + +## Usage + +The following is an example minimal usage. Please see the +[variables.tf](variables.tf) file for more details and expected values and +types. + +```tf +module "config_sync" { + source = "terraform-google-modules/kubernetes-engine/google//modules/config-sync" + + project_id = "my-project-id" + cluster_name = "my-cluster-name" + location = module.gke.location + cluster_endpoint = module.gke.endpoint + + sync_repo = "git@github.com:GoogleCloudPlatform/csp-config-management.git" + sync_branch = "1.0.0" + policy_dir = "foo-corp" +} +``` + +To deploy this config: +1. Run `terraform apply` +2. Inspect the `git_creds_public` [output](#outputs) to retrieve the public key + used for accessing Git. Whitelist this key for access to your Git + repo. Instructions for some popular Git hosting providers are included for + convenience: + + * [Cloud Souce Repositories](https://cloud.google.com/source-repositories/docs/authentication#ssh) + * [Bitbucket](https://confluence.atlassian.com/bitbucket/set-up-an-ssh-key-728138079.html) + * [GitHub](https://help.github.com/articles/adding-a-new-ssh-key-to-your-github-account/) + * [Gitlab](https://docs.gitlab.com/ee/ssh/) + + + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|:----:|:-----:|:-----:| +| cluster\_endpoint | Kubernetes cluster endpoint. | string | n/a | yes | +| cluster\_name | The unique name to identify the cluster in ACM. | string | n/a | yes | +| create\_ssh\_key | Controls whether a key will be generated for Git authentication | bool | `"true"` | no | +| location | The location (zone or region) this cluster has been created in. | string | n/a | yes | +| operator\_path | Path to the operator yaml config. If unset, will download from GCS releases. | string | `"null"` | no | +| policy\_dir | Subfolder containing configs in ACM Git repo | string | n/a | yes | +| project\_id | The project in which the resource belongs. | string | n/a | yes | +| secret\_type | credential secret type, passed through to ConfigManagement spec.git.secretType. Overriden to value 'ssh' if `create_ssh_key` is true | string | n/a | yes | +| skip\_gcloud\_download | Whether to skip downloading gcloud (assumes gcloud and kubectl already available outside the module) | bool | `"false"` | no | +| ssh\_auth\_key | Key for Git authentication. Overrides 'create_ssh_key' variable. Can be set using 'file(path/to/file)'-function. | string | `"null"` | no | +| sync\_branch | ACM repo Git branch | string | `"master"` | no | +| sync\_repo | ACM Git repo address | string | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| git\_creds\_public | Public key of SSH keypair to allow the Config Sync Operator to authenticate to your Git repository. | + + diff --git a/modules/config-sync/main.tf b/modules/config-sync/main.tf new file mode 100644 index 000000000..858421c1e --- /dev/null +++ b/modules/config-sync/main.tf @@ -0,0 +1,38 @@ +/** + * Copyright 2018 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +module "configsync_operator" { + + source = "../k8s-operator-crd-support" + + cluster_name = var.cluster_name + project_id = var.project_id + location = var.location + operator_path = var.operator_path + sync_repo = var.sync_repo + sync_branch = var.sync_branch + policy_dir = var.policy_dir + cluster_endpoint = var.cluster_endpoint + create_ssh_key = var.create_ssh_key + secret_type = var.secret_type + ssh_auth_key = var.ssh_auth_key + skip_gcloud_download = var.skip_gcloud_download + + operator_latest_manifest_url = "gs://config-management-release/released/latest/config-sync-operator.yaml" + operator_cr_template_path = "${path.module}/templates/config-sync-config.yml.tpl" + operator_credential_namespace = "config-management-system" + operator_credential_name = "git-creds" +} diff --git a/modules/config-sync/outputs.tf b/modules/config-sync/outputs.tf new file mode 100644 index 000000000..61be7ba70 --- /dev/null +++ b/modules/config-sync/outputs.tf @@ -0,0 +1,21 @@ +/** + * Copyright 2018 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +output "git_creds_public" { + description = "Public key of SSH keypair to allow the Config Sync Operator to authenticate to your Git repository." + value = module.configsync_operator.git_creds_public +} + diff --git a/modules/config-sync/templates/config-sync-config.yml.tpl b/modules/config-sync/templates/config-sync-config.yml.tpl new file mode 100644 index 000000000..a9f7fa45c --- /dev/null +++ b/modules/config-sync/templates/config-sync-config.yml.tpl @@ -0,0 +1,12 @@ +apiVersion: configmanagement.gke.io/v1 +kind: ConfigManagement +metadata: + name: config-management +spec: + # clusterName is required and must be unique among all managed clusters + clusterName: ${cluster_name} + git: + syncRepo: ${sync_repo} + syncBranch: ${sync_branch} + secretType: ${secret_type} + policyDir: ${policy_dir} diff --git a/modules/config-sync/variables.tf b/modules/config-sync/variables.tf new file mode 100644 index 000000000..419da0c75 --- /dev/null +++ b/modules/config-sync/variables.tf @@ -0,0 +1,80 @@ +/** + * Copyright 2018 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "cluster_name" { + description = "The unique name to identify the cluster in ACM." + type = string +} + +variable "project_id" { + description = "The project in which the resource belongs." + type = string +} + +variable "location" { + description = "The location (zone or region) this cluster has been created in." + type = string +} + +variable "operator_path" { + description = "Path to the operator yaml config. If unset, will download from GCS releases." + type = string + default = null +} + +variable "sync_repo" { + description = "ACM Git repo address" + type = string +} + +variable "sync_branch" { + description = "ACM repo Git branch" + type = string + default = "master" +} + +variable "policy_dir" { + description = "Subfolder containing configs in ACM Git repo" + type = string +} + +variable "cluster_endpoint" { + description = "Kubernetes cluster endpoint." + type = string +} + +variable "create_ssh_key" { + description = "Controls whether a key will be generated for Git authentication" + type = bool + default = true +} + +variable "secret_type" { + description = "credential secret type, passed through to ConfigManagement spec.git.secretType. Overriden to value 'ssh' if `create_ssh_key` is true" + type = string +} + +variable "ssh_auth_key" { + description = "Key for Git authentication. Overrides 'create_ssh_key' variable. Can be set using 'file(path/to/file)'-function." + type = string + default = null +} + +variable "skip_gcloud_download" { + description = "Whether to skip downloading gcloud (assumes gcloud and kubectl already available outside the module)" + type = bool + default = false +} diff --git a/modules/k8s-operator-crd-support/.gitignore b/modules/k8s-operator-crd-support/.gitignore new file mode 100644 index 000000000..ca3790e41 --- /dev/null +++ b/modules/k8s-operator-crd-support/.gitignore @@ -0,0 +1,5 @@ +# This fill will be always downloaded by terraform local-exec command from gc bucket +config-management-operator.yaml +/terraform.tfvars +/apply.out +/local.tfvars diff --git a/modules/k8s-operator-crd-support/main.tf b/modules/k8s-operator-crd-support/main.tf new file mode 100644 index 000000000..e9811f331 --- /dev/null +++ b/modules/k8s-operator-crd-support/main.tf @@ -0,0 +1,109 @@ +/** + * Copyright 2018 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +locals { + cluster_endpoint = "https://${var.cluster_endpoint}" + token = data.google_client_config.default.access_token + cluster_ca_certificate = data.google_container_cluster.primary.master_auth.0.cluster_ca_certificate + private_key = var.create_ssh_key && var.ssh_auth_key == null ? tls_private_key.k8sop_creds[0].private_key_pem : file(var.ssh_auth_key) + k8sop_creds_secret_key = var.secret_type == "cookiefile" ? "cookie_file" : var.secret_type + should_download_manifest = var.operator_path == null ? true : false + manifest_path = local.should_download_manifest ? "${path.root}/.terraform/tmp/config-management-operator.yaml" : var.operator_path +} + + +data "google_container_cluster" "primary" { + name = var.cluster_name + project = var.project_id + location = var.location +} + +data "google_client_config" "default" { +} + +module "k8sop_manifest" { + source = "terraform-google-modules/gcloud/google" + version = "~> 1.0" + enabled = local.should_download_manifest + skip_download = var.skip_gcloud_download + + create_cmd_entrypoint = "gsutil" + create_cmd_body = "cp ${var.operator_latest_manifest_url} ${local.manifest_path}" + destroy_cmd_entrypoint = "rm" + destroy_cmd_body = "-f ${local.manifest_path}" +} + + +module "k8s_operator" { + source = "terraform-google-modules/gcloud/google" + version = "~> 1.0" + module_depends_on = [module.k8sop_manifest.wait, data.google_client_config.default.project, data.google_container_cluster.primary.name] + additional_components = ["kubectl"] + skip_download = var.skip_gcloud_download + + create_cmd_entrypoint = "${path.module}/scripts/kubectl_wrapper.sh" + create_cmd_body = "${local.cluster_endpoint} ${local.token} ${local.cluster_ca_certificate} kubectl apply -f ${local.manifest_path}" + destroy_cmd_entrypoint = "${path.module}/scripts/kubectl_wrapper.sh" + destroy_cmd_body = "${local.cluster_endpoint} ${local.token} ${local.cluster_ca_certificate} kubectl delete -f ${local.manifest_path}" +} + + +resource "tls_private_key" "k8sop_creds" { + count = var.create_ssh_key ? 1 : 0 + algorithm = "RSA" + rsa_bits = 4096 +} + +module "k8sop_creds_secret" { + source = "terraform-google-modules/gcloud/google" + version = "~> 1.0" + module_depends_on = [module.k8s_operator.wait] + additional_components = ["kubectl"] + skip_download = var.skip_gcloud_download + + create_cmd_entrypoint = "${path.module}/scripts/kubectl_wrapper.sh" + create_cmd_body = "${local.cluster_endpoint} ${local.token} ${local.cluster_ca_certificate} kubectl create secret generic ${var.operator_credential_name} -n=${var.operator_credential_namespace} --from-literal=${local.k8sop_creds_secret_key}='${local.private_key}'" + destroy_cmd_entrypoint = "${path.module}/scripts/kubectl_wrapper.sh" + destroy_cmd_body = "${local.cluster_endpoint} ${local.token} ${local.cluster_ca_certificate} kubectl delete secret ${var.operator_credential_name} -n=${var.operator_credential_namespace}" +} + + +data "template_file" "k8sop_config" { + + template = file(var.operator_cr_template_path) + vars = { + cluster_name = var.cluster_name + sync_repo = var.sync_repo + sync_branch = var.sync_branch + policy_dir = var.policy_dir + secret_type = var.create_ssh_key ? "ssh" : var.secret_type + enable_policy_controller = var.enable_policy_controller ? "true" : "false" + install_template_library = var.install_template_library ? "true" : "false" + } +} + +module "k8sop_config" { + source = "terraform-google-modules/gcloud/google" + version = "~> 1.0" + module_depends_on = [module.k8s_operator.wait, module.k8sop_creds_secret.wait] + additional_components = ["kubectl"] + skip_download = var.skip_gcloud_download + + create_cmd_entrypoint = "echo" + create_cmd_body = "'${data.template_file.k8sop_config.rendered}' | ${path.module}/scripts/kubectl_wrapper.sh ${local.cluster_endpoint} ${local.token} ${local.cluster_ca_certificate} kubectl apply -f -" + destroy_cmd_entrypoint = "echo" + destroy_cmd_body = "'${data.template_file.k8sop_config.rendered}' | ${path.module}/scripts/kubectl_wrapper.sh ${local.cluster_endpoint} ${local.token} ${local.cluster_ca_certificate} kubectl delete -f -" +} diff --git a/modules/k8s-operator-crd-support/outputs.tf b/modules/k8s-operator-crd-support/outputs.tf new file mode 100644 index 000000000..66f3aa043 --- /dev/null +++ b/modules/k8s-operator-crd-support/outputs.tf @@ -0,0 +1,23 @@ +/** + * Copyright 2018 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +output "git_creds_public" { + description = "Public key of SSH keypair to allow the Anthos Operator to authenticate to your Git repository." + value = var.create_ssh_key ? tls_private_key.k8sop_creds.*.public_key_openssh : null +} + + + diff --git a/modules/acm/scripts/kubectl_wrapper.sh b/modules/k8s-operator-crd-support/scripts/kubectl_wrapper.sh similarity index 100% rename from modules/acm/scripts/kubectl_wrapper.sh rename to modules/k8s-operator-crd-support/scripts/kubectl_wrapper.sh diff --git a/modules/k8s-operator-crd-support/variables.tf b/modules/k8s-operator-crd-support/variables.tf new file mode 100644 index 000000000..dee749866 --- /dev/null +++ b/modules/k8s-operator-crd-support/variables.tf @@ -0,0 +1,112 @@ +/** + * Copyright 2018 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "cluster_name" { + description = "The unique name to identify the cluster in ACM." + type = string +} + +variable "project_id" { + description = "The project in which the resource belongs." + type = string +} + +variable "location" { + description = "The location (zone or region) this cluster has been created in." + type = string +} + +variable "operator_path" { + description = "Path to the operator yaml config. If unset, will download from `var.operator_latest_manifest_url`." + type = string + default = null +} + +variable "operator_latest_manifest_url" { + description = "Url to the latest downloadable manifest for the operator. To be supplied by operator module providers, not end users." + type = string +} + +variable "sync_repo" { + description = "ACM Git repo address" + type = string +} + +variable "secret_type" { + description = "git authentication secret type, is passed through to ConfigManagement spec.git.secretType. Overriden to value 'ssh' if `create_ssh_key` is true" + type = string +} + +variable "sync_branch" { + description = "ACM repo Git branch" + type = string + default = "master" +} + +variable "policy_dir" { + description = "Subfolder containing configs in ACM Git repo" + type = string +} + +variable "cluster_endpoint" { + description = "Kubernetes cluster endpoint." + type = string +} + +variable "operator_credential_name" { + description = "Allows calling modules to specify the name of operator credentials to match what is expected." + type = string +} +variable "operator_credential_namespace" { + description = "Allows calling modules to specify the namespace for the operator credential to match what is expected." + type = string +} + +variable "create_ssh_key" { + description = "Controls whether a key will be generated for Git authentication" + type = bool + default = true +} + +variable "ssh_auth_key" { + description = "Key for Git authentication. Overrides 'create_ssh_key' variable. Can be set using 'file(path/to/file)'-function." + type = string + default = null +} + +variable "enable_policy_controller" { + description = "Whether to enable the ACM Policy Controller on the cluster" + type = bool + default = false +} + +variable "install_template_library" { + description = "Whether to install the default Policy Controller template library" + type = bool + default = false +} + +variable "operator_cr_template_path" { + description = "path to template file to use for the operator" + type = string +} + +variable "skip_gcloud_download" { + description = "Whether to skip downloading gcloud (assumes gcloud and kubectl already available outside the module)" + type = bool + default = false +} +