forked from trussworks/terraform-aws-wafv2
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathvariables.tf
165 lines (152 loc) · 4.4 KB
/
variables.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
variable "name" {
type = string
description = "A friendly name of the WebACL."
}
variable "scope" {
type = string
description = "The scope of this Web ACL. Valid options: CLOUDFRONT, REGIONAL."
}
variable "managed_rules" {
type = list(object({
name = string
priority = number
override_action = string
excluded_rules = list(string)
vendor_name = string
}))
description = "List of Managed WAF rules."
default = [
{
name = "AWSManagedRulesCommonRuleSet",
priority = 10
override_action = "none"
excluded_rules = []
vendor_name = "AWS"
},
{
name = "AWSManagedRulesAmazonIpReputationList",
priority = 20
override_action = "none"
excluded_rules = []
vendor_name = "AWS"
},
{
name = "AWSManagedRulesKnownBadInputsRuleSet",
priority = 30
override_action = "none"
excluded_rules = []
vendor_name = "AWS"
},
{
name = "AWSManagedRulesSQLiRuleSet",
priority = 40
override_action = "none"
excluded_rules = []
vendor_name = "AWS"
},
{
name = "AWSManagedRulesLinuxRuleSet",
priority = 50
override_action = "none"
excluded_rules = []
vendor_name = "AWS"
},
{
name = "AWSManagedRulesUnixRuleSet",
priority = 60
override_action = "none"
excluded_rules = []
vendor_name = "AWS"
}
]
}
variable "ip_sets_rule" {
type = list(object({
name = string
priority = number
ip_set_arn = string
action = string
}))
description = "A rule to detect web requests coming from particular IP addresses or address ranges."
default = []
}
variable "ip_rate_based_rule" {
type = object({
name = string
priority = number
limit = number
action = string
})
description = "A rate-based rule tracks the rate of requests for each originating IP address, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span"
default = null
}
variable "ip_rate_url_based_rules" {
type = list(object({
name = string
priority = number
limit = number
action = string
search_string = string
positional_constraint = string
}))
description = "A rate and url based rules tracks the rate of requests for each originating IP address, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span"
default = []
}
variable "filtered_header_rule" {
type = object({
header_types = list(string)
priority = number
header_value = string
action = string
search_string = string
})
description = "HTTP header to filter . Currently supports a single header type and multiple header values."
default = {
header_types = []
priority = 1
header_value = ""
action = "block"
search_string = ""
}
}
variable "tags" {
type = map(string)
description = "A mapping of tags to assign to the WAFv2 ACL."
default = {}
}
variable "associate_alb" {
type = bool
description = "Whether to associate an ALB with the WAFv2 ACL."
default = false
}
variable "alb_arn" {
type = string
description = "ARN of the ALB to be associated with the WAFv2 ACL."
default = ""
}
variable "enable_logging" {
type = bool
description = "Whether to associate Logging resource with the WAFv2 ACL."
default = false
}
variable "log_destination_arns" {
type = list(string)
description = "The Amazon Kinesis Data Firehose, Cloudwatch Log log group, or S3 bucket Amazon Resource Names (ARNs) that you want to associate with the web ACL."
default = []
}
variable "group_rules" {
type = list(object({
name = string
arn = string
priority = number
override_action = string
excluded_rules = list(string)
}))
description = "List of WAFv2 Rule Groups."
default = []
}
variable "default_action" {
type = string
description = "The action to perform if none of the rules contained in the WebACL match."
default = "allow"
}