upstream/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2026-06-27 01:50:31 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 11
vault/enos/modules/start_vault/variables.tf
Vault Automation ad9a5b1e0a
[VAULT-34888] enos: backport changes for Fyre scenarios for testing on linux/s390x 
Add support for running enos on Fyre with support for linux/s390x,
linux/amd64, and linux/ppc64le. The enterprise version of this PR
has enterprise only scenarios. The changes reflected here are on
shared modules.

We now have three new fyre modules that are can swap in-place of
create_vpc, ec2_info, and target_ec2_instances:
create_vpc_fyre_shim, fyre_os_info and target_fyre_vms. This pass
doesn't make them adhered 1:1 as module interfaces but that can come
later when the base scenarios are merged.

The only major change we had to make to long existing modules was
supporting leader_api_addr for discovery. Historically we've always used
cloud based node discovery but that's obviously not available in Fyre.
Nowyou can set the retry_join variable to either local_api_addr or
aws.

We also modify our integration containers to use those available from
the HashiCorp docker mirror. We do this because we pull those images
unauthenticated and thus share the same external address as the larger
network, which makes the likelihood of throttling very high.

To maintain the goal of the Fyre scenarios not requiring AWS credentials, I
had to move the AWS secrets verification into it's own module. That allows
us now to simply not include it, but later if/when we include it we can have
scenarios with the Fyre backend compile them out by skipping.

This PR is massive and covers the following tickets:

    VAULT-40635
    VAULT-40636
    VAULT-44591
    VAULT-34888
    VAULT-34887
    VAULT-34886
    VAULT-34885
    VAULT-34884

Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
2026-06-22 10:21:47 -06:00

219 lines
5.8 KiB
HCL
Raw Blame History

# Copyright IBM Corp. 2016, 2025
# SPDX-License-Identifier: BUSL-1.1
variable "retry_join_method" {
type = string
description = <<-EOF
What method of retry_join_method to use. Must map to a go-discover provider type or "leader_api_addr"
EOF
default = "aws"
validation {
condition = contains(["aws", "leader_api_addr"], var.retry_join_method)
error_message = "The retry_join_method must match a go-discover provider type or be 'leader_api_addr'. No other retry_join_method types are supported."
}
}
variable "cluster_name" {
type = string
description = "The Vault cluster name"
}
variable "cluster_port" {
type = number
description = "The cluster port for Vault to listen on"
default = 8201
}
variable "cluster_tag_key" {
type = string
description = "The Vault cluster tag key"
default = "retry_join"
}
variable "config_dir" {
type = string
description = "The directory to use for Vault configuration"
default = "/etc/vault.d"
}
variable "config_mode" {
description = "The method to use when configuring Vault. When set to 'env' we will configure Vault using VAULT_ style environment variables if possible. When 'file' we'll use the HCL configuration file for all configuration options."
default = "file"
validation {
condition = contains(["env", "file"], var.config_mode)
error_message = "The config_mode must be either 'env' or 'file'. No other configuration modes are supported."
}
}
variable "disable_mlock" {
type = bool
description = "Disable mlock for Vault process."
default = false
}
variable "enable_telemetry" {
type = bool
description = "Enable Vault telemetry"
default = false
}
variable "environment" {
description = "Optional Vault configuration environment variables to set starting Vault"
type = map(string)
default = null
}
variable "external_storage_port" {
type = number
description = "The port to connect to when using external storage"
default = 8500
}
variable "hosts" {
description = "The target machines host addresses to use for the Vault cluster"
type = map(object({
ipv6 = string
private_ip = string
public_ip = string
}))
}
variable "install_dir" {
type = string
description = "The directory where the vault binary will be installed"
default = "/opt/vault/bin"
}
variable "ip_version" {
type = number
description = "The IP version to use for the Vault TCP listeners"
validation {
condition = contains([4, 6], var.ip_version)
error_message = "The ip_version must be either 4 or 6"
}
}
variable "license" {
type = string
sensitive = true
description = "The value of the Vault license"
default = null
}
variable "log_level" {
type = string
description = "The vault service log level"
default = "info"
validation {
condition = contains(["trace", "debug", "info", "warn", "error"], var.log_level)
error_message = "The log_level must be one of 'trace', 'debug', 'info', 'warn', or 'error'."
}
}
variable "manage_service" {
type = bool
description = "Manage the Vault service users and systemd unit. Disable this to use configuration in RPM and Debian packages"
default = true
}
variable "leader_api_addr" {
type = string
description = "An optional API address of the leader to use for leader_api_addr retry_join. If not set the first var.host address will be used"
default = null
}
variable "listener_port" {
type = number
description = "The port for Vault to listen on"
default = 8200
}
variable "seal_alias" {
type = string
description = "The primary seal alias name"
default = "primary"
}
variable "seal_alias_secondary" {
type = string
description = "The secondary seal alias name"
default = "secondary"
}
variable "seal_attributes" {
description = "The primary auto-unseal attributes"
default = null
}
variable "seal_attributes_secondary" {
description = "The secondary auto-unseal attributes"
default = null
}
variable "seal_priority" {
type = string
description = "The primary seal priority"
default = "1"
}
variable "seal_priority_secondary" {
type = string
description = "The secondary seal priority"
default = "2"
}
variable "seal_type" {
type = string
description = "The method by which to unseal the Vault cluster"
default = "awskms"
validation {
condition = contains(["awskms", "pkcs11", "shamir"], var.seal_type)
error_message = "The seal_type must be either 'awskms', 'pkcs11', or 'shamir'. No other seal types are supported."
}
}
variable "seal_type_secondary" {
type = string
description = "A secondary HA seal method. Only supported in Vault Enterprise >= 1.15"
default = "none"
validation {
condition = contains(["awskms", "pkcs11", "none"], var.seal_type_secondary)
error_message = "The secondary_seal_type must be 'awskms', 'pkcs11' or 'none'. No other secondary seal types are supported."
}
}
variable "service_username" {
type = string
description = "The host username to own the vault service"
default = "vault"
}
variable "storage_backend" {
type = string
description = "The storage backend to use"
default = "raft"
validation {
condition = contains(["raft", "consul"], var.storage_backend)
error_message = "The storage_backend must be either raft or consul. No other storage backends are supported."
}
}
variable "storage_backend_attrs" {
type = map(any)
description = "An optional set of key value pairs to inject into the storage block"
default = {}
}
variable "storage_node_prefix" {
type = string
description = "A prefix to use for each node in the Vault storage configuration"
default = "node"
}
Reference in a new issue View git blame Copy permalink