-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathvariables.tf
162 lines (142 loc) · 4.87 KB
/
variables.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
variable "prefix" {
description = "The prefix name of customer to be displayed in AWS console and resource"
type = string
}
variable "environment" {
description = "Environment Variable used as a prefix"
type = string
}
variable "name" {
type = string
description = "A friendly name of the WebACL."
}
variable "scope" {
type = string
description = <<-DOC
Specifies whether this is for an AWS CloudFront distribution or for a regional application.
Possible values are `CLOUDFRONT` or `REGIONAL`.
To work with CloudFront, you must also specify the region us-east-1 (N. Virginia) on the AWS provider.
DOC
validation {
condition = contains(["CLOUDFRONT", "REGIONAL"], var.scope)
error_message = "Allowed values: `CLOUDFRONT`, `REGIONAL`."
}
}
variable "is_enable_default_rule" {
type = bool
description = "If true with enable default rule (detail in locals.tf)"
default = true
}
# https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-baseline.html
variable "managed_rules" {
type = list(object({
name = string
priority = number
override_action = string
excluded_rules = list(string)
}))
description = "List of Managed WAF rules."
default = []
}
variable "ip_sets_rule" {
# List of object need to have consis structure --> cv to any --> and make good description
type = list(object({
name = string
priority = number
ip_set = list(string)
action = string
ip_address_version = string
}))
description = "A rule to detect web requests coming from particular IP addresses or address ranges."
default = []
}
variable "ip_set" {
description = <<EOL
To create IP set ex.
ip_sets = {
"oozou-vpn-ipv4-set" = {
ip_addresses = ["127.0.01/32"]
ip_address_version = "IPV4"
},
"oozou-vpn-ipv6-set" = {
ip_addresses = ["2403:6200:88a2:a6f8:2096:9b42:31f8:61fd/128"]
ip_address_version = "IPV6"
}
}
EOL
type = map(object({
ip_addresses = list(string)
ip_address_version = string
}))
default = {}
}
variable "custom_rules" {
description = "Find the example for these structure"
type = any
default = []
}
variable "tags" {
type = map(string)
description = "A mapping of tags to assign to the WAFv2 ACL."
default = {}
}
variable "association_resources" {
type = list(string)
description = "ARN of the ALB, CloudFront, Etc to be associated with the WAFv2 ACL."
default = []
}
variable "default_action" {
type = string
description = "The action to perform if none of the rules contained in the WebACL match."
default = "block"
}
variable "is_enable_cloudwatch_metrics" {
type = bool
description = "The action to perform if none of the rules contained in the WebACL match."
default = true
}
variable "is_enable_sampled_requests" {
type = bool
description = "Whether AWS WAF should store a sampling of the web requests that match the rules. You can view the sampled requests through the AWS WAF console."
default = true
}
variable "ip_rate_based_rule" {
type = object({
name = string
priority = number
action = string
limit = number
})
description = "A rate-based rule tracks the rate of requests for each originating IP address, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span"
default = null
}
variable "is_create_logging_configuration" {
description = "Whether to create logging configuration in order start logging from a WAFv2 Web ACL to CloudWatch"
type = bool
default = true
}
variable "cloudwatch_log_retention_in_days" {
description = "Specifies the number of days you want to retain log events Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, and 0. If you select 0, the events in the log group are always retained and never expire"
type = number
default = 90
}
variable "cloudwatch_log_kms_key_id" {
description = "The ARN for the KMS encryption key."
type = string
default = null
}
variable "redacted_fields" {
description = "The parts of the request that you want to keep out of the logs. Up to 100 `redacted_fields` blocks are supported."
type = any
default = []
}
variable "logging_filter" {
description = "A configuration block that specifies which web requests are kept in the logs and which are dropped. You can filter on the rule action and on the web request labels that were applied by matching rules during web ACL evaluation."
type = any
default = {}
}
variable "custom_response_body" {
description = "(optional) Define custom response body"
type = list(any)
default = []
}