variable "aws_profile" {
  description = "Named AWS CLI profile with lab credentials."
  type        = string
  default     = "cve-lab"
}

variable "region" {
  description = "AWS region. AMI ids below are resolved for this region."
  type        = string
  default     = "ap-southeast-1"
}

variable "instance_type" {
  description = <<-EOT
    Instance type for the lab VM. t3.small is Nitro but that is fine here:
    the vulnerable kernel is a modern 6.8 GA series that already ships ENA/NVMe
    drivers, so the old-kernel Nitro boot-hang caveat does not apply. This is
    not a race/TOCTOU CVE (the trigger is deterministic per the criterion), so
    2 burstable vCPUs are sufficient.
  EOT
  type        = string
  default     = "t3.small"
}

variable "ami_id" {
  description = <<-EOT
    Ubuntu 24.04 (noble) amd64 server AMI, build 20260321 (2026-03-21), resolved
    in ap-southeast-1. This build predates the CVE-2026-31431 fix commit
    (a664bf3d603d, 2026-03-26) and any distro backport, so its stock 6.8 GA
    kernel is within the affected range (6.7 .. 6.12.85). cloud-init holds the
    kernel so first-boot apt cannot upgrade it to a patched build.
  EOT
  type        = string
  default     = "ami-0d17372de612983fe"
}

variable "cve_id" {
  type    = string
  default = "CVE-2026-31431"
}

variable "lab_run_id" {
  description = "Unique per-run id; used to name the key pair and tag resources."
  type        = string
  default     = "cve-2026-31431-20260603-093846"
}

variable "expiry_ts" {
  description = <<-EOT
    Hard expiry tag (24h out), stamped on every resource. Set as a concrete,
    plan-time-known value rather than computed from timestamp() at apply time:
    a value derived from timestamp() is recomputed when a SAVED plan is applied,
    which makes the AWS provider reject tags_all as an "inconsistent final plan".
    Override with -var at apply time if a different window is wanted.
  EOT
  type        = string
  default     = "2026-06-04T01:55:17Z"
}

variable "allowed_ssh_cidr" {
  description = <<-EOT
    CIDR permitted to reach SSH (22). Defaults to 0.0.0.0/0 so the operator can
    reach the VM from wherever they run apply; tighten to the operator's /32 at
    apply time with -var if desired. The lab user is unprivileged and the VM is
    ephemeral (24h expiry tag), but locking this down is recommended.
  EOT
  type        = string
  default     = "0.0.0.0/0"
}