| access_logs |
Enable access logs for S3 buckets, requires log_bucket variable to be set |
bool |
false |
no |
| aws_principals |
List of ARNs for AWS principals allowed to assume DynamoDB reader role or execute the tls_cert lambda |
list |
[] |
no |
| bucket_prefix |
First part of s3 bucket name to ensure uniqueness, if left blank a random suffix will be used instead |
string |
"" |
no |
| cert_info_files |
List of file names to be uploaded to internal S3 bucket for processing |
list |
[] |
no |
| csr_files |
List of CSR file names to be uploaded to internal S3 bucket for processing |
list |
[] |
no |
| custom_sns_topic_display_name |
Customised SNS topic display name, leave empty to use standard naming convention |
string |
"" |
no |
| custom_sns_topic_name |
Customised SNS topic name, leave empty to use standard naming convention |
string |
"" |
no |
| env |
Environment name, e.g. dev |
string |
"dev" |
no |
| filter_pattern |
Filter pattern for CloudWatch logs subscription filter |
string |
"" |
no |
| hosted_zone_domain |
Hosted zone domain, e.g. dev.ca.example.com |
string |
"" |
no |
| hosted_zone_id |
Hosted zone ID for public zone, e.g. Z0123456XXXXXXXXXXX |
string |
"" |
no |
| issuing_ca_info |
Issuing CA certificate information |
map |
{
"commonName": "Serverless Issuing CA",
"country": "GB",
"emailAddress": null,
"lifetime": 3650,
"locality": "London",
"organization": "Serverless",
"organizationalUnit": "IT",
"pathLengthConstraint": null,
"state": "London"
} |
no |
| issuing_ca_key_spec |
Issuing CA key specification |
string |
"ECC_NIST_P256" |
no |
| issuing_crl_days |
Number of days before Issuing CA CRL expires, in addition to seconds. Must be greater than or equal to Step Function interval |
number |
1 |
no |
| issuing_crl_seconds |
Number of seconds before Issuing CA CRL expires, in addition to days. Used for overlap in case of clock skew |
number |
600 |
no |
| kms_arn_resource |
KMS key ARN used for general resource encryption, different from key used for CA key protection |
string |
"" |
no |
| kms_key_alias |
KMS key alias for bucket encryption with key rotation disabled, if left at default, TLS key gen KMS key will be used |
string |
"" |
no |
| log_bucket |
Name of log bucket, if access_logs variable set to true |
string |
"" |
no |
| logging_account_id |
AWS Account ID of central logging account for CloudWatch subscription filters |
string |
"" |
no |
| max_cert_lifetime |
Maximum end entity certificate lifetime in days |
number |
365 |
no |
| memory_size |
Standard memory allocation for Lambda functions |
number |
128 |
no |
| prod_envs |
List of production environment names, used in outputs.tf |
list |
[
"prd",
"prod"
] |
no |
| project |
abbreviation for the project, forms first part of resource names |
string |
"serverless" |
no |
| public_crl |
Whether to make the CRL and CA certificates publicly available |
bool |
false |
no |
| root_ca_info |
Root CA certificate information |
map |
{
"commonName": "Serverless Root CA",
"country": "GB",
"emailAddress": null,
"lifetime": 7300,
"locality": "London",
"organization": "Serverless",
"organizationalUnit": "IT",
"pathLengthConstraint": null,
"state": "London"
} |
no |
| root_ca_key_spec |
Root CA key specification |
string |
"ECC_NIST_P384" |
no |
| root_crl_days |
Number of days before Root CA CRL expires, in addition to seconds. Must be greater than or equal to Step Function interval |
number |
1 |
no |
| root_crl_seconds |
Number of seconds before Root CA CRL expires, in addition to days. Used for overlap in case of clock skew |
number |
600 |
no |
| runtime |
Lambda language runtime |
string |
"python3.12" |
no |
| s3_aws_principals |
List of AWS Principals to allow access to external S3 bucket |
list |
[] |
no |
| schedule_expression |
Step function schedule in cron format, interval should normally be the same as issuing_crl_days |
string |
"cron(15 8 * * ? *)" |
no |
| sns_email_subscriptions |
List of email addresses to subscribe to SNS topic |
list(string) |
[] |
no |
| sns_lambda_subscriptions |
A map of lambda names to arns to subscribe to SNS topic |
map(string) |
{} |
no |
| sns_policy |
A string containing the SNS policy, if used |
string |
"" |
no |
| sns_policy_template |
Name of SNS policy template file, if used |
string |
"default" |
no |
| sns_sqs_subscriptions |
A map of SQS names to arns to subscribe to thSNSis topic |
map(string) |
{} |
no |
| subscription_filter_destination |
CloudWatch log subscription filter destination, last section of ARN |
string |
"" |
no |
| timeout |
Amount of time Lambda Function has to run in seconds |
number |
180 |
no |