From df457fe625eaeebd70f0e387a1a54706781f744f Mon Sep 17 00:00:00 2001 From: Maximilian Schlenz Date: Thu, 17 Jul 2025 11:33:42 +0200 Subject: [PATCH] tflint, cleanup, description of vars --- example/variables.tf | 115 +++++++++++++++++------------ network/variables.tf | 131 +++++++++++++++++++-------------- observability/outputs.tf | 4 +- observability/variables.tf | 26 +++---- postgres/variables.tf | 38 ++++++---- project/variables.tf | 17 ++++- security-group/variables.tf | 142 +++++++++++++----------------------- ske/variables.tf | 67 ++++++++--------- 8 files changed, 276 insertions(+), 264 deletions(-) diff --git a/example/variables.tf b/example/variables.tf index ee292d9..bfeab6e 100644 --- a/example/variables.tf +++ b/example/variables.tf @@ -1,15 +1,9 @@ variable "region" { - description = "Region for the STACKIT Cloud" + description = "Provider region for STACKIT Cloud" type = string default = "eu01" } -variable "project_id" { - description = "STACKIT Cloud project ID" - type = string - default = null -} - variable "service_account_token" { description = "Service account token for authentication" sensitive = true @@ -17,40 +11,44 @@ variable "service_account_token" { default = null } -# SNA & Projects variables +# -----------------------------------------------------------------------------# +# SNA & Projects +# -----------------------------------------------------------------------------# variable "organization_id" { - description = "Die Container-ID deiner STACKIT Organisation." + description = "STACKIT organization container ID" type = string } variable "service_account_key_path" { + description = "Path to service account JSON key" type = string - default = "/home/hahnjan/.stackit/sa.json" + default = "/Users/schlenz/.stackit/sa.json" } variable "default_region" { - type = string - default = "eu01" + description = "Default region fallback for created resources" + type = string + default = "eu01" } variable "SNA_name" { - description = "Name der zu erstellenden Service Network Area." + description = "Name of the Service Network Area to create" type = string } variable "SNA_network_ranges" { - description = "Liste der Netzwerk-CIDRs für die SNA." + description = "CIDR list for the Service Network Area" type = list(object({ prefix = string })) } variable "SNA_transfer_network" { - description = "Das Transfer-Netzwerk für die SNA (z.B. 172.16.9.0/24)." + description = "Transfer network CIDR for the SNA" type = string } variable "Projects_map" { - description = "Eine Map von Projekten, die erstellt werden sollen." + description = "Map of STACKIT projects to create" type = map(object({ name = string owner_email = string @@ -58,11 +56,17 @@ variable "Projects_map" { } variable "labels" { - type = map(string) - default = {} + description = "Default labels to apply where supported" + type = map(string) + default = {} } +# -----------------------------------------------------------------------------# +# Security Groups +# -----------------------------------------------------------------------------# + variable "security_groups" { + description = "Map of security group definitions" type = map(object({ name = optional(string) project_key = string @@ -89,15 +93,20 @@ variable "security_groups" { })) } +# -----------------------------------------------------------------------------# +# PostgreSQL +# -----------------------------------------------------------------------------# + variable "postgres_instances" { + description = "Map of PostgreSQL instances to create" type = map(object({ - name = string + name = string project_key = string - version = number - flavor = object({ cpu = number, ram = number }) - storage = object({ class = string, size = number }) - replicas = number - acl = list(string) + version = number + flavor = object({ cpu = number, ram = number }) + storage = object({ class = string, size = number }) + replicas = number + acl = list(string) backup_schedule = string users = list(object({ username = string @@ -110,18 +119,23 @@ variable "postgres_instances" { })) } -# Network definition map +# -----------------------------------------------------------------------------# +# Networks +# -----------------------------------------------------------------------------# + variable "networks" { + description = "Map of network definitions per project" type = map(object({ - name = string + name = string project_key = string - # IPv4 settings + + # IPv4 ipv4_gateway = optional(string) ipv4_nameservers = optional(list(string)) ipv4_prefix = optional(string) ipv4_prefix_length = optional(number) - # IPv6 settings + # IPv6 ipv6_gateway = optional(string) ipv6_nameservers = optional(list(string)) ipv6_prefix = optional(string) @@ -133,7 +147,7 @@ variable "networks" { no_ipv6_gateway = optional(bool) routed = optional(bool) - # NIC-specific options + # NICs nics = optional(map(object({ nic_ipv4 = optional(string) nic_name = string @@ -144,16 +158,18 @@ variable "networks" { nic_security_group_names = optional(list(string)) }))) })) - default = {} } -variable "ske_clusters" { - description = "Eine Map von SKE-Clustern" - type = map(object({ +# -----------------------------------------------------------------------------# +# SKE Clusters +# -----------------------------------------------------------------------------# - name = string - project_key = string +variable "ske_clusters" { + description = "Map of SKE cluster definitions" + type = map(object({ + name = string + project_key = string kubernetes_version_min = optional(string) hibernations = optional(list(object({ start = string @@ -161,10 +177,10 @@ variable "ske_clusters" { timezone = optional(string) }))) maintenance = optional(object({ - enable_kubernetes_version_updates = bool + enable_kubernetes_version_updates = bool enable_machine_image_version_updates = bool - start = string - end = string + start = string + end = string })) extensions = optional(object({ acl = optional(object({ @@ -178,7 +194,6 @@ variable "ske_clusters" { })) node_pools = list(object({ - name = string machine_type = string availability_zones = list(string) @@ -204,15 +219,18 @@ variable "ske_clusters" { default = {} } +# -----------------------------------------------------------------------------# +# Observability +# -----------------------------------------------------------------------------# + variable "observability_instances" { description = "Map of Observability instances to create" type = map(object({ - # Required - name = string + name = string project_key = string - plan_name = string + plan_name = string - # Optional instance settings + # Instance settings acl = optional(list(string)) metrics_retention_days = optional(number) metrics_retention_days_5m_downsampling = optional(number) @@ -220,11 +238,11 @@ variable "observability_instances" { alert_config = optional(any) parameters = optional(map(string)) - # Control credential creation + # Credentials create_credentials = optional(bool, true) credentials_count = optional(number, 1) - # alert-groups + # Alert-groups alertgroups = optional(map(object({ name = string interval = optional(string) @@ -237,7 +255,7 @@ variable "observability_instances" { })) })), {}) - # log-alert-groups + # Log-alert-groups logalertgroups = optional(map(object({ name = string interval = optional(string) @@ -250,7 +268,7 @@ variable "observability_instances" { })) })), {}) - # scrape-configs + # Scrape-configs scrapeconfigs = optional(map(object({ name = string metrics_path = string @@ -272,6 +290,7 @@ variable "observability_instances" { })), {}) })) default = {} + validation { condition = alltrue([ for k, v in var.observability_instances : @@ -292,7 +311,7 @@ variable "observability_instances" { ]) error_message = <<-EOM One or more observability_instances specify an invalid plan_name. - See the provider error output for the list of supported plans. Allowed values: + See the provider error output for supported plans. Allowed: Observability-Medium-EU01 Observability-Monitoring-XL-EU01 Observability-Large-EU01 diff --git a/network/variables.tf b/network/variables.tf index 35787b4..b5b2fc7 100644 --- a/network/variables.tf +++ b/network/variables.tf @@ -1,103 +1,123 @@ variable "project_id" { - type = string + description = "STACKIT project ID" + type = string } variable "name" { - type = string + description = "Network name" + type = string } +# ----------------------------- +# IPv4 +# ----------------------------- variable "ipv4_gateway" { - type = string - default = null + description = "IPv4 gateway address" + type = string + default = null } variable "ipv4_nameservers" { - type = list(string) - default = [] + description = "IPv4 nameserver list" + type = list(string) + default = [] } variable "ipv4_prefix" { - type = string - default = null + description = "IPv4 prefix CIDR" + type = string + default = null } variable "ipv4_prefix_length" { - type = number - default = null + description = "IPv4 prefix length" + type = number + default = null } +# ----------------------------- +# IPv6 +# ----------------------------- variable "ipv6_gateway" { - type = string - default = null + description = "IPv6 gateway address" + type = string + default = null } variable "ipv6_nameservers" { - type = list(string) - default = [] + description = "IPv6 nameserver list" + type = list(string) + default = [] } variable "ipv6_prefix" { - type = string - default = null + description = "IPv6 prefix CIDR" + type = string + default = null } variable "ipv6_prefix_length" { - type = number - default = null + description = "IPv6 prefix length" + type = number + default = null } +# ----------------------------- +# Deprecated legacy nameservers (provider still exposes) +# ----------------------------- +variable "nameservers" { + description = "Deprecated nameserver list (legacy field)" + type = list(string) + default = [] +} + +# ----------------------------- +# Labels & flags +# ----------------------------- variable "labels" { - type = map(string) - default = {} + description = "Labels map" + type = map(string) + default = {} } variable "no_ipv4_gateway" { - type = bool - default = false + description = "Disable IPv4 gateway" + type = bool + default = false } variable "no_ipv6_gateway" { - type = bool - default = false + description = "Disable IPv6 gateway" + type = bool + default = false } variable "routed" { - type = bool - # default = true + description = "Mark network routed" + type = bool + default = null } -variable "nic_allowed_addresses" { - type = list(string) - default = [] +# ----------------------------- +# Region override & routing +# ----------------------------- +variable "region" { + description = "Resource region override (defaults to provider region)" + type = string + default = null } -variable "nic_ipv4" { - type = string - default = null -} - -variable "nic_labels" { - type = map(string) - default = {} -} - -variable "nic_name" { - type = string - default = null -} - -variable "nic_security" { - type = bool - default = false - nullable = false -} - -variable "nic_security_group_ids" { - type = list(string) - default = [] +variable "routing_table_id" { + description = "Routing table ID" + type = string + default = null } +# ----------------------------- +# NIC map (zero or many) +# ----------------------------- variable "nics" { + description = "Map of NIC configs" type = map(object({ nic_ipv4 = optional(string) nic_name = optional(string) @@ -110,7 +130,10 @@ variable "nics" { default = {} } +# ----------------------------- +# Security group lookup map +# ----------------------------- variable "security_group_ids_by_name" { - description = "Map of security-group names -> IDs" + description = "Security group name→ID map" type = map(string) } diff --git a/observability/outputs.tf b/observability/outputs.tf index a097640..15f6ecb 100644 --- a/observability/outputs.tf +++ b/observability/outputs.tf @@ -26,7 +26,7 @@ output "observability_credentials" { } output "observability_alertgroups" { - description = "Map of created Thanos alert-group IDs" + description = "Map of created alert-group IDs" value = { for key, alertgrp in stackit_observability_alertgroup.this : key => alertgrp.id @@ -34,7 +34,7 @@ output "observability_alertgroups" { } output "observability_logalertgroups" { - description = "Map of created Loki log-alert-group IDs" + description = "Map of created log-alert-group IDs" value = { for key, logalertgrp in stackit_observability_logalertgroup.this : key => logalertgrp.id diff --git a/observability/variables.tf b/observability/variables.tf index fb14907..daee852 100644 --- a/observability/variables.tf +++ b/observability/variables.tf @@ -4,65 +4,65 @@ variable "project_id" { } variable "name" { - description = "The name of the Observability instance." + description = "Observability instance name" type = string } variable "plan_name" { - description = "Specifies the Observability plan." + description = "Observability plan name" type = string } variable "acl" { - description = "Access control list (CIDR blocks) permitted to access this instance." + description = "Allowed CIDR list" type = list(string) default = null } variable "metrics_retention_days" { - description = "How many days raw metrics are kept." + description = "Retention days raw metrics" type = number default = null } variable "metrics_retention_days_5m_downsampling" { - description = "How many days 5m-downsampled metrics are kept." + description = "Retention days 5m downsample" type = number default = null } variable "metrics_retention_days_1h_downsampling" { - description = "How many days 1h-downsampled metrics are kept." + description = "Retention days 1h downsample" type = number default = null } variable "alert_config" { - description = "Complex Alertmanager configuration." + description = "Alertmanager config object" type = any default = null } variable "parameters" { - description = "Additional key/value parameters for the instance." + description = "Extra key/value parameters" type = map(string) default = null } variable "create_credentials" { - description = "Whether to create credentials for this instance." + description = "Create credentials" type = bool default = true } variable "credentials_count" { - description = "How many credentials to create when enabled." + description = "Credential count when enabled" type = number default = 1 } variable "alertgroups" { - description = "Map of alert-groups to create." + description = "Map of alert-groups to create" type = map(object({ name = string interval = optional(string) @@ -78,7 +78,7 @@ variable "alertgroups" { } variable "logalertgroups" { - description = "Map of log-alert-groups to create." + description = "Map of log-alert-groups to create" type = map(object({ name = string interval = optional(string) @@ -94,7 +94,7 @@ variable "logalertgroups" { } variable "scrapeconfigs" { - description = "Map of scrape-configs to create." + description = "Map of scrape-configs to create" type = map(object({ name = string metrics_path = string diff --git a/postgres/variables.tf b/postgres/variables.tf index 061dd3f..620fea0 100644 --- a/postgres/variables.tf +++ b/postgres/variables.tf @@ -1,9 +1,11 @@ variable "project_id" { - type = string + description = "STACKIT project ID" + type = string } variable "name" { - type = string + description = "Instance name (DNS-1035 compliant)" + type = string validation { condition = length(regexall("^[a-z]([-a-z0-9]*[a-z0-9])?$", var.name)) > 0 @@ -16,50 +18,52 @@ variable "name" { } } -variable "instance_id" { - type = string - default = "" -} - variable "ver" { - type = number + description = "PostgreSQL version" + type = number } variable "flavor" { + description = "Compute flavor (cpu, ram GB)" type = object({ - cpu = number, + cpu = number ram = number }) } variable "storage" { + description = "Storage settings (class, size GB)" type = object({ - class = string, + class = string size = number }) } variable "replicas" { - type = number + description = "Number of instance replicas" + type = number } variable "acl" { - type = list(string) + description = "Allowed CIDR list for instance access" + type = list(string) } variable "backup_schedule" { - type = string - + description = "Backup schedule string" + type = string } variable "users" { + description = "Database users (username, roles)" type = list(object({ username = string roles = set(string) })) default = [] + validation { - condition = alltrue([ + condition = alltrue([ for user in var.users : user.username != "admin" ]) error_message = "The username 'admin' is reserved and cannot be used." @@ -67,12 +71,14 @@ variable "users" { } variable "databases" { + description = "Databases to create (name, owner)" type = list(object({ name = string owner = string })) default = [] - validation { + + validation { condition = alltrue([ for db in var.databases : length(regexall("^[a-z]([-a-z0-9]*[a-z0-9])?$", db.name)) > 0 ]) diff --git a/project/variables.tf b/project/variables.tf index 9be4103..b0eb6dd 100644 --- a/project/variables.tf +++ b/project/variables.tf @@ -1,9 +1,16 @@ variable "organization_id" { - description = "Empfängt die Container-ID der Organisation vom Root-Modul." + description = "Organization container ID (root parent)" type = string } +variable "parent_container_id" { + description = "Parent container ID to create projects under" + type = string + default = null +} + variable "projects" { + description = "Map of projects (name, owner_email)" type = map(object({ name = string owner_email = string @@ -11,11 +18,13 @@ variable "projects" { } variable "sna_id" { - description = "Empfängt die ID der Network Area vom Root-Modul." + description = "Network Area ID; adds label networkArea= when set" type = string + default = null } variable "labels" { - type = map(string) - default = {} + description = "Extra labels applied to all projects" + type = map(string) + default = {} } diff --git a/security-group/variables.tf b/security-group/variables.tf index 053a240..4ca3116 100644 --- a/security-group/variables.tf +++ b/security-group/variables.tf @@ -1,107 +1,65 @@ variable "project_id" { - description = "STACKIT project ID in which to create resources." + description = "STACKIT project ID" type = string } variable "name" { - description = "Name of the network." + description = "Security group name" type = string } variable "description" { + description = "Security group description" type = string default = "" } -variable "ipv4_gateway" { - description = "IPv4 gateway for the network. If null, the first IP in the CIDR is used." - type = string - nullable = true - default = null -} - -variable "ipv4_nameservers" { - description = "List of IPv4 nameservers." - type = list(string) - nullable = true - default = null -} - -variable "ipv4_prefix" { - description = "IPv4 prefix (CIDR) for the network." - type = string - nullable = true - default = null -} - -variable "ipv4_prefix_length" { - description = "IPv4 prefix length for the network." - type = number - nullable = true - default = null -} - -variable "ipv6_gateway" { - description = "IPv6 gateway for the network. If null, the first IP in the CIDR is used." - type = string - nullable = true - default = null -} - -variable "ipv6_nameservers" { - description = "List of IPv6 nameservers." - type = list(string) - nullable = true - default = null -} - -variable "ipv6_prefix" { - description = "IPv6 prefix (CIDR) for the network." - type = string - nullable = true - default = null -} - -variable "ipv6_prefix_length" { - description = "IPv6 prefix length for the network." - type = number - nullable = true - default = null -} - -variable "labels" { - description = "Key/value labels to attach to the network." - type = map(string) - nullable = true - default = null -} - -variable "no_ipv4_gateway" { - description = "If true, suppress creation of an IPv4 gateway." - type = bool - default = false -} - -variable "no_ipv6_gateway" { - description = "If true, suppress creation of an IPv6 gateway." - type = bool - default = false -} - -variable "routed" { - description = "If true, the network is routed." - type = bool - default = false -} - -variable "routing_table_id" { - description = "Routing table ID to associate with this network (experimental)." - type = string - nullable = true - default = null -} - +# rule schema variable "rules" { - description = "List of routing rules to apply to this network (experimental)." - type = any + description = "List of security group rules" + type = list(object({ + direction = string # ingress | egress + description = optional(string) + ether_type = optional(string) # IPv4 | IPv6 + icmp_parameters = optional(object({ + type = optional(number) + code = optional(number) + })) + ip_range = optional(string) # CIDR + port_range = optional(object({ + min = number + max = number + })) + protocol = optional(object({ + name = optional(string) # tcp | udp | icmp + number = optional(number) # OR protocol number + })) + remote_security_group_id = optional(string) + })) + + validation { + condition = alltrue([ + for r in var.rules : contains(["ingress", "egress"], lower(r.direction)) + ]) + error_message = "Each rule.direction must be 'ingress' or 'egress'." + } + + validation { + condition = alltrue([ + for r in var.rules : + r.ether_type == null ? true : contains(["IPv4", "IPv6"], r.ether_type) + ]) + error_message = "Each rule.ether_type must be 'IPv4' or 'IPv6' when set." + } + + # port_range min <= max when provided + validation { + condition = alltrue([ + for r in var.rules : + ( + r.port_range == null ? true : (r.port_range.min <= r.port_range.max) + ) + ]) + error_message = "Each rule.port_range.min must be <= rule.port_range.max." + } } diff --git a/ske/variables.tf b/ske/variables.tf index ccae10c..6636f12 100644 --- a/ske/variables.tf +++ b/ske/variables.tf @@ -1,47 +1,51 @@ variable "project_id" { - description = "STACKIT project ID to which the cluster is associated." + description = "STACKIT project ID" type = string } variable "name" { - description = "The cluster name." + description = "Cluster name" type = string } variable "node_pools" { - description = "One or more node_pool blocks." + description = "List of node pool configs" type = list(object({ - name = string - machine_type = string - availability_zones = list(string) - minimum = number - maximum = number - allow_system_components = optional(bool) - cri = optional(string) - labels = optional(map(string)) - max_surge = optional(number) - max_unavailable = optional(number) - os_name = optional(string) - os_version_min = optional(string) - taints = optional(list(object({ + name = string + machine_type = string + availability_zones = list(string) + minimum = number + maximum = number + + allow_system_components = optional(bool) + cri = optional(string) + labels = optional(map(string)) + max_surge = optional(number) + max_unavailable = optional(number) + os_name = optional(string) + os_version_min = optional(string) + taints = optional(list(object({ effect = string key = string value = optional(string) }))) - volume_size = optional(number) - volume_type = optional(string) + volume_size = optional(number) + volume_type = optional(string) })) } -# Optionale Variablen +# -----------------------------------------------------------------------------# +# Optional fields +# -----------------------------------------------------------------------------# + variable "kubernetes_version_min" { - description = "The minimum Kubernetes version." + description = "Minimum Kubernetes version" type = string default = null } variable "hibernations" { - description = "A list of hibernation schedules for the cluster." + description = "Hibernation schedules" type = list(object({ start = string end = string @@ -51,7 +55,7 @@ variable "hibernations" { } variable "maintenance" { - description = "A single maintenance block." + description = "Maintenance window settings" type = object({ enable_kubernetes_version_updates = bool enable_machine_image_version_updates = bool @@ -60,8 +64,9 @@ variable "maintenance" { }) default = null } + variable "extensions" { - description = "A single extensions block." + description = "Extensions config" type = object({ acl = optional(object({ enabled = bool @@ -72,23 +77,15 @@ variable "extensions" { argus_instance_id = string })) dns = optional(object({ - enabled = bool - zones = optional(list(string)) + enabled = bool + zones = optional(list(string)) })) }) default = null } -variable "network" { - description = "Network block." - type = object({ - id = string - }) - default = null -} - variable "default_region" { - description = "The resource region." + description = "Resource region override" type = string default = null -} \ No newline at end of file +}