diff --git a/main.tf b/main.tf index 09d5db9..b55ab74 100644 --- a/main.tf +++ b/main.tf @@ -1,3 +1,23 @@ +locals { + category_settings = { + "1" = [ + { category = "paranoia-level-2", enabled = false }, + { category = "paranoia-level-3", enabled = false }, + { category = "paranoia-level-4", enabled = false } + ], + "2" = [ + { category = "paranoia-level-3", enabled = false }, + { category = "paranoia-level-4", enabled = false } + ], + "3" = [ + { category = "paranoia-level-4", enabled = false } + ], + "4" = [] + } +} + + + data "cloudflare_zones" "zones" { count = length(var.domains) @@ -8,6 +28,7 @@ data "cloudflare_zones" "zones" { } } + resource "cloudflare_ruleset" "zone_level_managed_waf" { count = length(var.domains) @@ -35,20 +56,18 @@ resource "cloudflare_ruleset" "zone_level_managed_waf" { id = "4814384a9e5d4991b9815dcfc25d2f1f" version = "latest" overrides { - categories { - category = "paranoia-level-3" - action = "block" - enabled = false - } - categories { - category = "paranoia-level-4" - action = "block" - enabled = false + dynamic "categories" { + for_each = local.category_settings[tostring(var.paranoia_level)] + content { + category = categories.value.category + enabled = categories.value.enabled + } } + rules { id = "6179ae15870a4bb7b2d480d4843b323c" - action = "managed_challenge" - score_threshold = 25 + action = var.owasp_action + score_threshold = var.anomaly_score_threshold } } } diff --git a/variables.tf b/variables.tf index 612fd1c..df5ba60 100644 --- a/variables.tf +++ b/variables.tf @@ -14,3 +14,23 @@ variable "owasp_enabled" { description = "Enable OWASP Core Ruleset" default = true } + +variable "owasp_action" { + type = string + description = "OWASP Core Ruleset action" + default = "log" +} + +variable "anomaly_score_threshold" { + type = number + description = "OWASP Core Ruleset anomaly score threshold" + default = 60 + +} + +variable "paranoia_level" { + type = number + description = "OWASP Core Ruleset paranoia level" + default = 3 + +}