terraform.tfvars.example

project_id         = "00000000-0000-0000-0000-000000000000"
region             = "eu01"
availability_zone  = "eu01-1"
prefix             = "stackittestuser"
# This must match the organization name configured on software.cisco.com for
# the Cisco Smart Account / Plug and Play controller profile used by this lab.
organization_name  = "STACKITTESTUSER_SDWAN"
# This must be the DNS-resolvable vBond FQDN used by your controllers. It must
# match the vBond hostname configured in software.cisco.com > Network Plug and
# Play > Controller Profiles.
vbond_hostname     = "vbond.vbond"

custom_labels = {
  environment = "lab"
}

image_ids = {
  vmanage = "replace-with-stackit-image-id"
  vsmart  = "replace-with-stackit-image-id"
  vbond   = "replace-with-stackit-image-id"
}

machine_types = {
  vmanage    = "g3i.28"
  controller = "c3i.4"
}

boot_volume_sizes = {
  vmanage    = 30
  controller = 12
}

vmanage_data_disk_size = 1024

admin_password      = "replace-with-a-strong-password"
admin_password_hash = "$6$replace-with-openssl-passwd-6-output"
ssh_public_key      = "ssh-ed25519 AAAA..."
controller_certificate_method     = "cisco_pki"

# cisco_pki is the default controller certificate flow.
# It uses the default Cisco trust bundle in the image, does not inject a root CA
# through cloud-init, and will later prompt for Cisco Smart Account registration
# during ./scripts/stackit_cluster_certificate.py. The Smart Account organization must match
# organization_name above exactly as it appears on software.cisco.com.

vmanage_cert_mode                  = "disabled"
vmanage_generated_cert_dir         = "certs/vmanage/generated"
vmanage_generated_root_common_name = "STACKITTESTUSER_SDWAN Example Root CA"
vmanage_generated_server_common_name = "stackittestuser-vmanage.example"

# If you prefer the older enterprise-local CA flow instead of Cisco PKI,
# set controller_certificate_method = "enterprise_local". Then point these paths
# at your local CA/cert material as needed.
vmanage_symantec_root_ca_cert_path = "certs/vmanage/symantec-root-ca.crt"
vmanage_root_ca_cert_path          = "certs/controllers/root-ca.crt"
vmanage_server_cert_path           = "certs/vmanage/server.crt"
vmanage_server_key_path            = "certs/vmanage/server.key"
vmanage_server_csr_path            = "certs/vmanage/server.csr"

vbond_root_ca_cert_path  = "certs/controllers/root-ca.crt"
vbond_server_cert_path   = "certs/vbond/generated/server.crt"
vbond_server_key_path    = "certs/vbond/generated/server.key"
vbond_server_csr_path    = "certs/vbond/generated/server.csr"
vsmart_root_ca_cert_path = "certs/controllers/root-ca.crt"
vsmart_server_cert_path  = "certs/vsmart/generated/server.crt"
vsmart_server_key_path   = "certs/vsmart/generated/server.key"
vsmart_server_csr_path   = "certs/vsmart/generated/server.csr"

admin_access_cidrs = [
  # Add the external source IPs or CIDRs that should be allowed to reach the
  # controller public IPs. Terraform automatically adds controller-to-controller
  # reachability separately, so only operator/admin source ranges belong here.
  "171.70.59.0/24",
  "128.107.0.0/16",
  "128.107.241.160/27",
  "151.186.182.0/24",
  "151.186.183.0/24",
  "151.186.186.0/24",
  "151.186.183.24/32",
  "151.186.183.87/32",
  "151.186.183.198/32",
  "151.186.183.197/32",
  "151.186.186.24/32",
  "151.186.186.88/32",
  "151.186.186.37/32",
  "151.186.186.102/32",
  "151.186.182.23/32",
  "151.186.182.87/32",
  "151.186.182.211/32",
  "151.186.182.146/32",
]

ssh_access_cidrs = [
  "0.0.0.0/0",
]

management_public_ips_enabled = true
transport_public_ips_enabled  = true
# Keep this false by default so you can verify terraform apply completed
# successfully and then run the first-boot disk formatting helper separately.
run_vmanage_firstboot_init    = false
network_ipv4_nameservers      = ["1.1.1.1", "8.8.8.8"]
vmanage_site_ids              = [110, 111, 112]
vbond_site_ids                = [120, 121]
vsmart_site_ids               = [130, 131]
enabled_controller_keys       = null