Terraform variable reference
Auto-generated by go run ./tools/refgen/tfvars-md > book/src/29-terraform-variable-reference.md. Re-run on every terraform/variables.tf change.
Every variable below is settable via terraform.tfvars, -var, -var-file, or (for sensitive values) the corresponding TF_VAR_<name> environment variable. Variables with _required_ defaults must be set explicitly. See Chapter 13 for how roksbnkctl threads these through the workspace config.
Root module variables
Source: terraform/variables.tf
| Variable | Type | Default | Description | Sensitive |
|---|---|---|---|---|
ibmcloud_api_key | string | required | IBM Cloud API key | yes |
ibmcloud_cluster_region | string | "ca-tor" | IBM Cloud region for all cluster resources | no |
ibmcloud_resource_group | string | "default" | IBM Cloud resource group name | no |
create_roks_cluster | bool | true | Create a new ROKS cluster. When false, supply roks_cluster_id_or_name instead. | no |
roks_cluster_id_or_name | string | "" | ID or name of an existing ROKS cluster — used when create_roks_cluster = false | no |
create_roks_transit_gateway | bool | true | Create Transit Gateway and VPC connections | no |
create_roks_registry_cos_instance | bool | true | Create Cloud Object Storage instance for the OpenShift image registry | no |
roks_cluster_vpc_name | string | "tf-cluster-vpc" | Name of the cluster VPC | no |
openshift_cluster_name | string | "tf-openshift-cluster" | Name of the OpenShift cluster | no |
openshift_cluster_version | string | "4.18" | OpenShift cluster version (e.g. 4.18). Leave empty to use the latest available. | no |
roks_workers_per_zone | number | 1 | Number of worker nodes per availability zone | no |
roks_min_worker_vcpu_count | number | 16 | Minimum vCPU count when auto-selecting the worker node flavor | no |
roks_min_worker_memory_gb | number | 64 | Minimum memory in GB when auto-selecting the worker node flavor | no |
roks_cos_instance_name | string | "tf-openshift-cos-instance" | Name of the COS instance for the OpenShift image registry | no |
roks_transit_gateway_name | string | "tf-tgw" | Name of the Transit Gateway. Must reference an existing TGW when create_roks_transit_gateway = false and testing_create_tgw_jumphost = true. | no |
install_cert_manager | bool | true | Install cert-manager. When false, cert_manager_namespace is passed directly to flo. | no |
cert_manager_namespace | string | "cert-manager" | Kubernetes namespace for cert-manager | no |
cert_manager_version | string | "v1.17.3" | cert-manager Helm chart version | no |
ibmcloud_cos_bucket_region | string | "us-south" | IBM Cloud region where the COS bucket is located | no |
ibmcloud_cos_instance_name | string | "bnk-orchestration" | IBM Cloud COS instance name | no |
ibmcloud_resources_cos_bucket | string | "bnk-schematics-resources" | IBM Cloud COS bucket containing FAR auth key and JWT files | no |
deploy_bnk | bool | true | Deploy BIG-IP Next for Kubernetes — creates flo, cne_instance, and license. When false all three modules are skipped. | no |
far_repo_url | string | "repo.f5.com" | FAR repository URL for Docker and Helm images | no |
f5_bigip_k8s_manifest_version | string | "2.3.0-3.2598.3-0.0.170" | Version of the f5-bigip-k8s-manifest chart (FLO and CIS versions are extracted from this) | no |
f5_cne_far_auth_file | string | "f5-far-auth-key.tgz" | FAR auth key filename in the COS bucket (.tgz) | no |
f5_cne_subscription_jwt_file | string | "trial.jwt" | Subscription JWT filename in the COS bucket — used by flo and license | no |
flo_namespace | string | "f5-bnk" | Kubernetes namespace for the F5 Lifecycle Operator | no |
flo_utils_namespace | string | "f5-utils" | Kubernetes namespace for F5 utility components — used by flo, cne_instance, and license | no |
bigip_username | string | "admin" | BIG-IP username for the CIS controller | no |
bigip_password | string | "admin" | BIG-IP password for the CIS controller | yes |
bigip_url | string | "192.168.1.245" | BIG-IP URL for the CIS controller | no |
flo_trusted_profile_id | string | "" | IBM Cloud Trusted Profile ID created by flo — wired automatically from flo output; set here to override | no |
flo_cluster_issuer_name | string | "" | Kubernetes ClusterIssuer name created by flo — wired automatically from flo output; set here to override | no |
cneinstance_network_attachments | list(string) | ["ens3-ipvlan-l2", "macvlan-conf"] | Network attachment names for cne_instance — wired automatically from flo output; set here to override | no |
cneinstance_deployment_size | string | "Small" | Deployment size for CNEInstance (Small, Medium, Large) | no |
cneinstance_gslb_datacenter_name | string | "" | GSLB datacenter name for CNEInstance (optional) | no |
license_mode | string | "connected" | License operation mode (connected or disconnected) | no |
testing_create_tgw_jumphost | bool | true | Create a jumphost in a client VPC connected to the cluster via the Transit Gateway | no |
testing_create_cluster_jumphosts | bool | false | Create one jumphost per availability zone directly inside the cluster VPC | no |
testing_ssh_key_name | string | "" | Name of the IBM Cloud SSH key to inject into all jumphosts | no |
testing_jumphost_profile | string | "" | Instance profile for all jumphosts (leave empty to auto-select based on min_vcpu_count and min_memory_gb) | no |
testing_min_vcpu_count | number | 4 | Minimum vCPU count when auto-selecting the jumphost instance profile | no |
testing_min_memory_gb | number | 8 | Minimum memory in GB when auto-selecting the jumphost instance profile | no |
testing_create_client_vpc | bool | false | Create a new client VPC for the TGW jumphost. When false, testing_client_vpc_name must reference an existing VPC. | no |
testing_client_vpc_name | string | "tf-testing-vpc" | Name of the client VPC — created when testing_create_client_vpc = true, or looked up when false | no |
testing_client_vpc_region | string | "ca-tor" | IBM Cloud region for the client VPC and TGW jumphost | no |
testing_tgw_jumphost_name | string | "tf-testing-jumphost-tgw" | Name of the TGW-connected jumphost instance | no |
testing_cluster_jumphost_name_prefix | string | "tf-testing-jumphost-cluster" | Name prefix for cluster jumphosts — zone name is appended (<prefix>-<zone>) | no |
kubeconfig_dir | string | "/work/.bnk/scratch/kubeconfig" | Parent directory where ibm_container_cluster_config writes admin kubeconfigs. Each submodule appends its name as a subdir. Default is the bnk runner image’s /work mount; override for direct-on-host runs. | no |
scratch_dir | string | "/work/.bnk/scratch" | Persistent scratch directory for FLO’s FAR/manifest cross-apply artifacts. Default is the bnk runner image’s /work mount; override for direct-on-host runs. | no |
Module: cert_manager
Source: terraform/modules/cert_manager/variables.tf
| Variable | Type | Default | Description | Sensitive |
|---|---|---|---|---|
ibmcloud_api_key | string | required | IBM Cloud API Key | yes |
ibmcloud_cluster_region | string | "ca-tor" | IBM Cloud region where the cluster resides | no |
ibmcloud_resource_group | string | "default" | IBM Cloud Resource Group name (leave empty to use account default) | no |
roks_cluster_name_or_id | string | required | Name or ID of the existing OpenShift ROKS cluster to deploy BNK onto | no |
cert_manager_namespace | string | "cert-manager" | Kubernetes namespace for cert-manager | no |
cert_manager_version | string | "v1.17.3" | cert-manager Helm chart version | no |
create_roks_cluster | bool | false | When true, cluster is being created by roks_cluster — skip plan-time cluster credential fetch | no |
roks_cluster_dependency_id | string | null | roks_cluster sentinel ID — when set, defers runtime_config fetch to apply time after roks_cluster completes | no |
kubeconfig_dir | string | "/work/.bnk/scratch/kubeconfig/cert_manager" | Persistent, writable dir for ibm_container_cluster_config kubeconfig downloads. Defaults to a host-bind-mounted, module-scoped path under .bnk/scratch. | no |
Module: cne_instance
Source: terraform/modules/cne_instance/variables.tf
| Variable | Type | Default | Description | Sensitive |
|---|---|---|---|---|
ibmcloud_api_key | string | required | IBM Cloud API Key | yes |
ibmcloud_cluster_region | string | "ca-tor" | IBM Cloud region where the cluster resides | no |
ibmcloud_resource_group | string | "default" | IBM Cloud Resource Group name (leave empty to use account default) | no |
roks_cluster_name_or_id | string | required | Name or ID of the existing OpenShift ROKS cluster to deploy BNK onto | no |
far_repo_url | string | "repo.f5.com" | FAR Repository URL for Docker and Helm registry | no |
flo_namespace | string | "f5-bnk" | Namespace for F5 Lifecycle Operator | no |
flo_utils_namespace | string | "f5-utils" | Namespace for F5 utility components | no |
f5_bigip_k8s_manifest_version | string | "2.3.0-3.2598.3-0.0.170" | Version of f5-bigip-k8s-manifest chart - used by flo, cneinstance modules | no |
flo_trusted_profile_id | string | "" | IBM IAM Trusted Profile ID for provisioning VPC routes | no |
flo_cluster_issuer_name | string | "" | mTLS certificate issuer name | no |
cneinstance_deployment_size | string | "Small" | Deployment size for CNEInstance (Small, Medium, Large) | no |
cneinstance_gslb_datacenter_name | string | "" | GSLB datacenter name for CNEInstance (optional) | no |
cneinstance_network_attachments | list(string) | ["ens3-ipvlan-l2", "macvlan-conf"] | The Multus Network Attachment Definitions for the CNEInstance TMM deployments | no |
create_roks_cluster | bool | false | When true, cluster is being created by roks_cluster — skip plan-time cluster credential fetch | no |
roks_cluster_dependency_id | string | null | roks_cluster sentinel ID — when set, defers runtime_config fetch to apply time after roks_cluster completes | no |
flo_dependency_id | string | null | flo_ready sentinel ID — pass module.flo.flo_ready_id to defer cne_instance until flo completes and CRDs are registered | no |
deploy_bnk | bool | true | Deploy BIG-IP Next for Kubernetes — when false the inner cneinstance module is disabled and no CNEInstance resources are created | no |
kubeconfig_dir | string | "/work/.bnk/scratch/kubeconfig/cne_instance" | Persistent, writable dir for ibm_container_cluster_config kubeconfig downloads. Defaults to a host-bind-mounted, module-scoped path under .bnk/scratch. | no |
Module: flo
Source: terraform/modules/flo/variables.tf
| Variable | Type | Default | Description | Sensitive |
|---|---|---|---|---|
ibmcloud_api_key | string | required | IBM Cloud API Key | yes |
ibmcloud_cluster_region | string | "ca-tor" | IBM Cloud region where the cluster resides | no |
ibmcloud_resource_group | string | "default" | IBM Cloud Resource Group name (leave empty to use account default) | no |
roks_cluster_name_or_id | string | required | Name or ID of the existing OpenShift ROKS cluster to deploy BNK onto | no |
far_repo_url | string | "repo.f5.com" | FAR Repository URL for Docker and Helm registry | no |
f5_bigip_k8s_manifest_version | string | "2.3.0-3.2598.3-0.0.170" | Version of the f5-bigip-k8s-manifest chart (FLO/CIS versions are extracted from this) | no |
use_cos_bucket | bool | true | Fetch FAR auth key and JWT from IBM Cloud Object Storage instead of local variables | no |
ibmcloud_cos_bucket_region | string | "us-south" | IBM Cloud region where the COS bucket is located | no |
ibmcloud_cos_instance_name | string | "bnk-orchestration" | IBM Cloud COS instance name | no |
ibmcloud_resources_cos_bucket | string | "bnk-schematics-resources" | IBM Cloud COS bucket containing the FAR auth key and JWT files | no |
f5_cne_far_auth_file | string | "f5-far-auth-key.tgz" | FAR auth key filename in the COS bucket (.tgz) | no |
f5_cne_subscription_jwt_file | string | "trial.jwt" | Subscription JWT filename in the COS bucket | no |
flo_namespace | string | "f5-bnk" | Namespace for F5 Lifecycle Operator | no |
flo_utils_namespace | string | "f5-utils" | Namespace for F5 utility components | no |
cert_manager_namespace | string | "cert-manager" | Kubernetes namespace for cert-manager - used by cert-manager, flo modules | no |
bigip_username | string | "admin" | BIG-IP username for CIS controller login | no |
bigip_password | string | "admin" | BIG-IP password for CIS controller login | yes |
bigip_url | string | "https://192.168.1.245" | BIG-IP URL for CIS controller login | no |
create_roks_cluster | bool | false | When true, cluster is being created by roks_cluster — skip plan-time cluster credential fetch | no |
roks_cluster_dependency_id | string | null | roks_cluster sentinel ID — when set, defers runtime_config fetch to apply time after roks_cluster completes | no |
cert_manager_dependency_id | string | null | cert_manager ready sentinel ID — when set, blocks flo inner module until cert-manager CRDs are available | no |
deploy_bnk | bool | true | Deploy BIG-IP Next for Kubernetes — when false the inner flo module is disabled and no FLO resources are created | no |
kubeconfig_dir | string | "/work/.bnk/scratch/kubeconfig/flo" | Persistent, writable dir for ibm_container_cluster_config kubeconfig downloads. Defaults to a host-bind-mounted, module-scoped path under .bnk/scratch. | no |
scratch_dir | string | "/work/.bnk/scratch" | Persistent scratch directory for FAR/manifest cross-apply artifacts. Default is the bnk runner image’s /work mount. | no |
Module: license
Source: terraform/modules/license/variables.tf
| Variable | Type | Default | Description | Sensitive |
|---|---|---|---|---|
ibmcloud_api_key | string | required | IBM Cloud API Key | yes |
ibmcloud_cluster_region | string | "ca-tor" | IBM Cloud region where the cluster resides | no |
ibmcloud_resource_group | string | "default" | IBM Cloud Resource Group name (leave empty to use account default) | no |
ibmcloud_cos_bucket_region | string | "us-south" | IBM Cloud region where the COS bucket is located | no |
ibmcloud_cos_instance_name | string | "bnk-orchestration" | IBM Cloud COS instance name | no |
ibmcloud_resources_cos_bucket | string | "bnk-schematics-resources" | IBM Cloud COS bucket containing the FAR auth key and JWT files | no |
roks_cluster_name_or_id | string | required | Name or ID of the existing OpenShift ROKS cluster to deploy BNK onto | no |
flo_utils_namespace | string | "f5-utils" | Namespace for F5 utility components | no |
f5_cne_subscription_jwt_file | string | "trial.jwt" | Subscription JWT filename in the COS bucket | no |
license_mode | string | "connected" | License operation mode (connected or disconnected) | no |
create_roks_cluster | bool | false | When true, cluster is being created by roks_cluster — skip plan-time cluster credential fetch | no |
roks_cluster_dependency_id | string | null | roks_cluster sentinel ID — when set, defers runtime_config fetch to apply time after roks_cluster completes | no |
cneinstance_dependency_id | string | null | cneinstance_ready_id from ws4 — when set, ensures License CRD is available before applying License CR | no |
deploy_bnk | bool | true | Deploy BIG-IP Next for Kubernetes — when false the inner license module is disabled and no License resources are created | no |
kubeconfig_dir | string | "/work/.bnk/scratch/kubeconfig/license" | Persistent, writable dir for ibm_container_cluster_config kubeconfig downloads. Defaults to a host-bind-mounted, module-scoped path under .bnk/scratch. | no |
Module: roks_cluster
Source: terraform/modules/roks_cluster/variables.tf
| Variable | Type | Default | Description | Sensitive |
|---|---|---|---|---|
ibmcloud_api_key | string | required | IBM Cloud API key | yes |
ibmcloud_cluster_region | string | required | IBM Cloud region for all cluster resources | no |
ibmcloud_resource_group | string | "default" | IBM Cloud resource group name | no |
create_roks_cluster | bool | true | Create a new ROKS cluster. When false, supply roks_cluster_id_or_name instead. | no |
roks_cluster_id_or_name | string | "" | ID or name of an existing ROKS cluster — used when create_roks_cluster = false | no |
create_roks_transit_gateway | bool | true | Create Transit Gateway and VPC connections | no |
create_roks_registry_cos_instance | bool | true | Create Cloud Object Storage instance for the OpenShift image registry | no |
roks_cluster_vpc_name | string | "tf-cluster-vpc" | Name of the cluster VPC | no |
openshift_cluster_name | string | "tf-openshift-cluster" | Name of the OpenShift cluster | no |
openshift_cluster_version | string | "4.18" | OpenShift cluster version (e.g. 4.18) | no |
roks_workers_per_zone | number | 1 | Number of worker nodes per availability zone | no |
roks_min_worker_vcpu_count | number | 16 | Minimum vCPU count when auto-selecting the worker node flavor | no |
roks_min_worker_memory_gb | number | 64 | Minimum memory in GB when auto-selecting the worker node flavor | no |
roks_cos_instance_name | string | "tf-openshift-cos-instance" | Name of the COS instance for the OpenShift image registry | no |
roks_transit_gateway_name | string | "tf-tgw" | Name of the Transit Gateway | no |
Module: testing
Source: terraform/modules/testing/variables.tf
| Variable | Type | Default | Description | Sensitive |
|---|---|---|---|---|
ibmcloud_api_key | string | required | IBM Cloud API Key | yes |
ibmcloud_cluster_region | string | "ca-tor" | IBM Cloud region where the referenced cluster resides | no |
ibmcloud_resource_group | string | "" | IBM Cloud Resource Group name (leave empty to use account default) | no |
roks_cluster_name_or_id | string | required | Name or ID of the existing OpenShift ROKS cluster | no |
testing_create_tgw_jumphost | bool | true | Create a jumphost in a client VPC and (optionally) connect it to the cluster via a Transit Gateway | no |
testing_create_cluster_jumphosts | bool | false | Create one jumphost per availability zone directly inside the cluster VPC | no |
testing_ssh_key_name | string | "" | Name of the SSH key to inject into all jumphosts. Must exist in client_vpc_region (for TGW jumphost) and in ibmcloud_cluster_region (for cluster jumphosts) | no |
testing_jumphost_profile | string | "" | Instance profile for all jumphosts (leave empty to auto-select from min_vcpu_count and min_memory_gb) | no |
testing_min_vcpu_count | number | 4 | Minimum vCPU count when auto-selecting the instance profile | no |
testing_min_memory_gb | number | 8 | Minimum memory in GB when auto-selecting the instance profile | no |
testing_create_client_vpc | bool | false | Create a new client VPC for the TGW jumphost. When false, client_vpc_name must reference an existing VPC | no |
testing_client_vpc_name | string | "tf-testing-vpc" | Name of the client VPC — created when create_client_vpc = true, or looked up when create_client_vpc = false | no |
testing_client_vpc_region | string | "ca-tor" | IBM Cloud region for the client VPC and TGW jumphost | no |
testing_transit_gateway_name | string | "" | Name of an existing Transit Gateway to connect the client VPC to (leave empty to skip TGW attachment) | no |
testing_tgw_jumphost_name | string | "tf-testing-jumphost-tgw" | Name of the TGW-connected jumphost instance (used as prefix for subnet, gateway, security group, and floating IP) | no |
testing_cluster_jumphost_name_prefix | string | "tf-testing-jumphost-cluster" | Name prefix for cluster jumphosts — zone name is appended (<prefix>-<zone>) | no |
roks_cluster_dependency_id | string | null | roks_cluster sentinel ID — when set, defers cluster/TGW data source reads to apply time after roks_cluster completes | no |
create_roks_cluster | bool | false | Set to true when the ROKS cluster is being created in this run — skips cluster-VPC-derived data sources that require a pre-existing cluster | no |
cluster_vpc_id | string | "" | ID of the cluster VPC — pass module.roks_cluster.roks_cluster_vpc_id directly; avoids deriving via worker-pool subnet chain which is deferred to apply time | no |