jimeh/terraform-cloudflare-email
1
0
Fork 0
mirror of https://github.com/jimeh/terraform-cloudflare-email.git synced 2026-02-18 17:36:40 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
terraform-cloudflare-email/variables.tf

246 lines
5.8 KiB
HCL
Raw Permalink Blame History

#
# General
#
variable "account_id" {
type = string
description = "Cloudflare Account ID"
}
variable "zone_id" {
type = string
description = "Cloudflare Zone ID"
}
variable "record_ttl" {
type = number
default = 1
nullable = false
description = "TTL for DNS records. `1` is auto. Default is `1`."
}
#
# MX
#
variable "mx" {
type = map(number)
description = "A map representing the MX records. Key is the mail server hostname and value is the priority."
validation {
condition = length(var.mx) > 0
error_message = "At least one MX record is required."
}
}
variable "mx_subdomains" {
type = list(string)
description = "List of sub-domains to also apply MX records to."
default = []
}
#
# SPF
#
variable "spf_terms" {
type = list(string)
default = ["mx", "a", "~all"]
description = "List of SPF terms that should be included in the SPF TXT record."
}
#
# TLS SMTP
#
variable "tlsrpt_rua" {
type = list(string)
description = "Locations to which aggregate TLS SMTP reports about policy violations should be sent, either `mailto:` or `https:` schema."
validation {
condition = length(var.tlsrpt_rua) != 0
error_message = "At least one `mailto:` or `https:` endpoint provided."
}
validation {
condition = can([
for loc in var.tlsrpt_rua : regex("^(mailto|https):", loc)
])
error_message = "Locations must start with either the `mailto:` or `https` schema."
}
}
#
# MTA-STS
#
variable "mta_sts_mode" {
type = string
default = "testing"
description = "MTA policy mode, https://tools.ietf.org/html/rfc8461#section-5"
validation {
condition = contains(["enforce", "testing", "none"], var.mta_sts_mode)
error_message = "Must be `enforce`, `testing`, or `none`."
}
}
variable "mta_sts_max_age" {
type = number
default = 604800 # 1 week
description = "Maximum lifetime of the policy in seconds, up to 31557600, defaults to 604800 (1 week)"
validation {
condition = var.mta_sts_max_age >= 0
error_message = "Policy validity time must be positive."
}
validation {
condition = var.mta_sts_max_age <= 31557600
error_message = "Policy validity time must be less than 1 year (31557600 seconds)."
}
}
variable "mta_sts_mx" {
type = list(string)
default = []
description = "Additional permitted MX hosts for the MTA STS policy."
}
#
# DMARC
#
variable "dmarc_policy" {
type = string
default = "none"
description = "The DMARC policy to apply (options: `none`, `quarantine`, `reject`)."
validation {
condition = contains(["none", "quarantine", "reject"], var.dmarc_policy)
error_message = "Must be `none`, `quarantine`, or `reject`."
}
}
variable "dmarc_spf_mode" {
type = string
default = "relaxed"
description = "The DMARC SPF mode for alignment (options: `relaxed`, `strict`)."
validation {
condition = contains(["relaxed", "strict"], var.dmarc_spf_mode)
error_message = "Must be `relaxed` or `strict`."
}
}
variable "dmarc_dkim_mode" {
type = string
default = "relaxed"
description = "The DMARC DKIM mode for alignment (options: `relaxed`, `strict`)."
validation {
condition = contains(["relaxed", "strict"], var.dmarc_dkim_mode)
error_message = "Must be `relaxed` or `strict`."
}
}
variable "dmarc_percent" {
type = number
default = 100
description = "Percentage of messages to apply the DMARC policy to (0-100)."
validation {
condition = var.dmarc_percent > 0 && var.dmarc_percent <= 100
error_message = "Must be between 0 and 100."
}
}
variable "dmarc_ttl" {
type = number
default = 1
description = "TTL for `_dmarc` DNS record. `1` is auto. Default is `1`."
validation {
condition = var.dmarc_ttl > 0 && var.dmarc_ttl <= 604800
error_message = "Must be between 1 and 604800."
}
}
variable "dmarc_rua" {
type = list(string)
description = "Where aggregate DMARC reports about policy violations should be sent."
validation {
condition = length(var.dmarc_rua) != 0
error_message = "At least one `mailto:` endpoint must be provided."
}
validation {
condition = can([
for loc in var.dmarc_rua : regex("^mailto:.+", loc)
])
error_message = "All must start with `mailto:`."
}
}
variable "dmarc_ruf" {
type = list(string)
default = []
description = "Where failure/forensic DMARC reports about policy violations should be sent."
validation {
condition = can([
for loc in var.dmarc_ruf : regex("^mailto:.+", loc)
])
error_message = "All must start with `mailto:`."
}
}
variable "dmarc_fo" {
type = string
default = "1:d:s"
description = "Failure reporting options for DMARC (characters: `0`, `1`, `d`, `s`, separated by `:`)."
validation {
condition = alltrue([
for v in split(":", var.dmarc_fo) : contains(["0", "1", "d", "s"], v)
])
error_message = "Only `0`, `1`, `d`, and `s` are supported, separated by `:`."
}
}
#
# Domain Keys (DKIM)
#
variable "domainkeys" {
type = map(object({
type = string
value = string
}))
default = {}
description = "Map of domain keys with name, record type (`TXT` or `CNAME`), and value."
validation {
condition = alltrue([
for name, dk in var.domainkeys : trimspace(name) != ""
])
error_message = "Domain key name cannot be empty."
}
validation {
condition = alltrue([
for name, dk in var.domainkeys :
contains(["TXT", "CNAME"], upper(dk.type))
])
error_message = "Domain key type must be `TXT` or `CNAME`."
}
validation {
condition = alltrue([
for name, dk in var.domainkeys : trimspace(dk.value) != ""
])
error_message = "Domain key value cannot be empty."
}
}
Reference in New Issue View Git Blame Copy Permalink