variable "aws_profile" {
  description = "AWS CLI profile with lab credentials."
  type        = string
  default     = "cve-lab"
}

variable "region" {
  description = "AWS region (AMI ids are region-specific)."
  type        = string
  default     = "ap-southeast-1"
}

variable "cve_id" {
  type    = string
  default = "CVE-2016-5195"
}

variable "lab_run_id" {
  type    = string
  default = "20260531-150029"
}

variable "expiry_ts" {
  description = "24h-out expiry tag (RFC3339)."
  type        = string
  default     = "2026-06-01T15:00:29Z"
}

# Base AMI: Canonical ubuntu-pro xenial 16.04 hvm-ssd in ap-southeast-1
# (resolved 2026-05-31: ubuntu-pro-server/.../ubuntu-xenial-16.04-amd64-pro-server-20260428).
# Pro is auto-attached on this AMI; cloud-init STRIPS Livepatch/Pro before reboot so
# Dirty COW is NOT patched at runtime. Non-Pro xenial AMIs are retired (see memory).
variable "ami_id" {
  description = "Base ubuntu-pro xenial 16.04 AMI in the target region."
  type        = string
  default     = "ami-03df7ce447aba3556"
}

# Xen, non-Nitro, 2 DEDICATED non-burstable vCPUs.
#  - Xen/non-Nitro: old 4.4.0-21 generic initramfs has xvda drivers, boots cleanly
#    (Nitro NVMe/ENA would wedge it in the initramfs rescue shell).
#  - c4.xlarge = 4 vCPU / 2 PHYSICAL cores x 2 threads, NON-burstable. c4.large had
#    only 1 physical core (2 SMT siblings), so the Dirty COW race could not win — the
#    cowprobe positive control failed 5/5. 2 physical cores give the genuine
#    cross-core parallelism the race needs. Same Xen/non-Nitro c4 family, so the
#    existing old-kernel 4.4.0-21 initramfs/xvda driver still boots cleanly.
variable "instance_type" {
  description = "Xen non-Nitro non-burstable type with >=2 PHYSICAL cores (Dirty COW race needs cross-core parallelism)."
  type        = string
  default     = "c4.xlarge"
}

variable "actor_user" {
  description = "Genuinely unprivileged local actor the exploit runs as."
  type        = string
  default     = "lowpriv"
}

variable "allowed_ssh_cidr" {
  description = "CIDR allowed to reach SSH. Operator should set to their /32. Defaults to none (no ingress) so a plan never opens 0.0.0.0/0 by accident."
  type        = string
  default     = "127.0.0.1/32"
}