generated from clouddrove/terraform-module-template
-
Notifications
You must be signed in to change notification settings - Fork 3
/
variables.tf
202 lines (166 loc) · 6.02 KB
/
variables.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
#Module : LABEL
#Description : Terraform label module variables.
variable "name" {
type = string
default = ""
description = "Name (e.g. `app` or `cluster`)."
}
variable "environment" {
type = string
default = ""
description = "Environment (e.g. `prod`, `dev`, `staging`)."
}
variable "repository" {
type = string
default = "https://github.com/clouddrove/terraform-aws-waf"
description = "Terraform current module repo"
}
variable "label_order" {
type = list(any)
default = ["name", "environment"]
description = "Label order, e.g. `name`,`application`."
}
variable "managedby" {
type = string
default = "CloudDrove"
description = "ManagedBy, eg 'CloudDrove'"
}
variable "enable" {
type = bool
default = true
description = "Flag to control the vpc creation."
}
variable "waf_enabled" {
type = bool
default = false
description = "Flag to control the waf creation for load balancer."
}
variable "resource_arn" {
type = string
default = ""
description = "ARN of the ALB or cloudfront to be associated with the WAFv2 ACL."
}
variable "resource_arn_list" {
type = list(string)
default = []
description = "ARN List of the ALB or cloudfront to be associated with the WAFv2 ACL."
}
variable "web_acl_association" {
type = bool
default = true
description = "If we associated with any resources to WAF"
}
#Module : WAF
#Description : Terraform WAF module variables.
#logs
variable "firehose_buffer_size" {
type = number
default = 128
description = "Buffer incoming data to the specified size, in MBs, before delivering it to the destination. Valid value is between 64-128. Recommended is 128, specifying a smaller buffer size can result in the delivery of very small S3 objects, which are less efficient to query."
}
variable "firehose_buffer_interval" {
type = number
default = 900
description = "Buffer incoming data for the specified period of time, in seconds, before delivering it to the destination. Valid value is between 60-900. Smaller value makes the logs delivered faster. Bigger value increase the chance to make the file size bigger, which are more efficient to query."
}
variable "description" {
type = string
default = "WAFv2 ACL"
description = "Description for web acl"
}
variable "waf_scop" {
type = string
default = "REGIONAL"
}
variable "ip_addresses" {
type = list(string)
default = null
description = "(Required) Contains an array of strings that specify one or more IP addresses or blocks of IP addresses in Classless Inter-Domain Routing (CIDR) notation. AWS WAF supports all address ranges for IP versions IPv4 and IPv6."
}
variable "rules" {
description = "List of WAF rules."
type = any
default = []
}
variable "visibility_config" {
description = "Visibility config for WAFv2 web acl. https://www.terraform.io/docs/providers/aws/r/wafv2_web_acl.html#visibility-configuration"
type = map(string)
default = {}
}
variable "allow_default_action" {
type = bool
default = true
description = "Set to `true` for WAF to allow requests by default. Set to `false` for WAF to block requests by default."
}
#logs
variable "create_logging_configuration" {
type = bool
default = false
description = "Whether to create logging configuration in order start logging from a WAFv2 Web ACL to Amazon Kinesis Data Firehose."
}
variable "redacted_fields" {
type = any
default = []
description = "The parts of the request that you want to keep out of the logs. Up to 100 `redacted_fields` blocks are supported."
}
variable "logging_filter" {
type = any
default = {}
description = "A configuration block that specifies which web requests are kept in the logs and which are dropped. You can filter on the rule action and on the web request labels that were applied by matching rules during web ACL evaluation."
}
variable "kms_key_deletion_window" {
type = number
default = 10
description = "KMS Key deletion window in days."
}
variable "enable_key_rotation" {
type = bool
default = true
description = "Specifies whether key rotation is enabled. Defaults to true(security best practice)"
}
variable "s3_sse_algorithm" {
type = string
default = "aws:kms"
description = "Server-side encryption algorithm to use. Valid values are AES256 and aws:kms"
}
variable "only_https_traffic" {
type = bool
default = true
description = "This veriables use for only https traffic."
}
variable "mfa_delete" {
type = string
default = "Disabled"
description = "Specifies whether MFA delete is enabled in the bucket versioning configuration. Valid values: Enabled or Disabled."
}
variable "mfa" {
type = string
default = null
description = "Optional, Required if versioning_configuration mfa_delete is enabled) Concatenation of the authentication device's serial number, a space, and the value that is displayed on your authentication device."
}
variable "versioning_status" {
type = string
default = "Enabled"
description = "Required if versioning_configuration mfa_delete is enabled) Concatenation of the authentication device's serial number, a space, and the value that is displayed on your authentication device."
}
#logs : CloudWatch Logs log group
variable "enable_cloudwatch_logs" {
type = bool
default = false
description = "Enable WAF logging destination as CloudWatch Logs log group"
}
variable "cloudwatch_logs_retention_in_days" {
type = number
default = 7
description = "Retention period of CloudWatch Logs log group"
}
variable "kms_key_arn" {
type = string
default = null
description = "(Optional) KMS key ARN to encrypt CloudWatch Logs log group"
}
variable "cloudwatch_logs_policy_document" {
type = string
default = ""
description = "(Optional) Custome IAM Policy for CloudWatch Logs log group"
}