-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathvariables.tf
153 lines (143 loc) · 5.94 KB
/
variables.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
##############################################################################
# Account Variables
##############################################################################
variable TF_VERSION {
default = "1.0"
description = "The version of the Terraform engine that's used in the Schematics workspace."
}
variable ibmcloud_api_key {
description = "The IBM Cloud platform API key needed to deploy IAM enabled resources"
type = string
sensitive = true
}
variable ibm_region {
description = "IBM Cloud region where all resources will be deployed"
type = string
default = "eu-de"
validation {
error_message = "Must use an IBM Cloud region. Use `ibmcloud regions` with the IBM Cloud CLI to see valid regions."
condition = can(
contains(
["au-syd", "br-sao", "ca-tor", "jp-tok", "jp-osa", "eu-de", "eu-gb", "us-south", "us-east"],
var.ibm_region
)
)
}
}
##############################################################################
##############################################################################
# Access Group Rules
##############################################################################
variable access_groups {
description = "A list of access groups to create"
type = list(
object({
name = string # Name of the group
description = string # Description of group
policies = list(
object({
name = string # Name of the policy
roles = list(string) # list of roles for the policy
resources = object({
resource_group = optional(string) # Name of the resource group the policy will apply to
resource_type = optional(string) # Name of the resource type for the policy ex. "resource-group"
service = optional(string) # Name of the service type for the policy ex. "cloud-object-storage"
resource_instance_id = optional(string) # ID of a service instance to give permissions
})
})
)
dynamic_policies = optional(
list(
object({
name = string # Dynamic group name
identity_provider = string # URI for identity provider
expiration = number # How many hours authenticated users can work before refresh
conditions = object({
claim = string # key value to evaluate the condition against.
operator = string # The operation to perform on the claim. Supported values are EQUALS, EQUALS_IGNORE_CASE, IN, NOT_EQUALS_IGNORE_CASE, NOT_EQUALS, and CONTAINS.
value = string # Value to be compared agains
})
})
)
)
account_management_policies = optional(list(string)) # A list of roles for account management to add
invite_users = list(string) # Users to invite to the access group
})
)
default = [
{
name = "admin"
description = "An example admin group"
policies = [
{
name = "admin_all"
resources = {
resource_group = "asset-development"
}
roles = ["Administrator","Manager"]
},
{
name = "admin_service"
resources = {
service = "cloud-object-storage"
resource_group = "asset-development"
}
roles = ["Content Reader"]
},
{
name = "admin_rg"
resources = {
resource_group = "asset-development"
resource_type = "resource-group"
}
roles = ["Editor","Manager"]
},
]
dynamic_policies = [
{
name = "newrule"
expiration = 4
identity_provider = "test-idp.com"
conditions = {
claim = "blueGroups"
operator = "CONTAINS"
value = "https://idp.example.org/SAML2"
}
}
]
account_management_policies = [ "Viewer" ]
invite_users = [ "test@test.test" ]
},
{
name = "admin_default"
description = "An example admin group"
policies = [
{
name = "admin_default_all"
resources = {
resource_group = "default"
}
roles = ["Administrator","Manager"]
},
{
name = "admin_default_ervice"
resources = {
service = "cloud-object-storage"
resource_group = "default"
}
roles = ["Content Reader"]
},
{
name = "admin_default_rg"
resources = {
resource_group = "default"
resource_type = "resource-group"
}
roles = ["Editor","Manager"]
},
]
invite_users = [ "test@test.test" ]
}
]
}
##############################################################################