https://github.com/govtechsg/terraform-waf-v2-es
https://github.com/govtechsg/terraform-waf-v2-es
terraform
Last synced: 4 days ago
JSON representation
- Host: GitHub
- URL: https://github.com/govtechsg/terraform-waf-v2-es
- Owner: GovTechSG
- License: mit
- Created: 2021-10-23T08:18:17.000Z (over 4 years ago)
- Default Branch: master
- Last Pushed: 2023-08-11T07:44:17.000Z (almost 3 years ago)
- Last Synced: 2025-01-03T03:12:57.445Z (over 1 year ago)
- Topics: terraform
- Language: HCL
- Homepage:
- Size: 29.3 KB
- Stars: 0
- Watchers: 57
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
## Requirements
No requirements.
## Providers
| Name | Version |
|------|---------|
| [aws](#provider\_aws) | n/a |
| [aws.wafv2](#provider\_aws.wafv2) | n/a |
## Modules
No modules.
## Resources
| Name | Type |
|------|------|
| [aws_iam_policy.allow_es_actions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_role.firehose](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role_policy_attachment.firehose_on_es](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_kinesis_firehose_delivery_stream.waf](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_firehose_delivery_stream) | resource |
| [aws_kinesis_firehose_delivery_stream.waf-to-es](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_firehose_delivery_stream) | resource |
| [aws_wafv2_ip_set.ipset-allow](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_ip_set) | resource |
| [aws_wafv2_ip_set.ipset-block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_ip_set) | resource |
| [aws_wafv2_ip_set.ipset-rate-limit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_ip_set) | resource |
| [aws_wafv2_web_acl.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl) | resource |
| [aws_wafv2_web_acl_association.waf_association](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl_association) | resource |
| [aws_iam_policy_document.allow_es_actions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.firehose_role_assume_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [allow\_ips](#input\_allow\_ips) | IPs to be always allowed (the action is Allow) | `set(string)` | `[]` | no |
| [association\_resource\_arns](#input\_association\_resource\_arns) | Resources you want to associate with WAF | `set(string)` | `[]` | no |
| [aws\_anonymousip\_list](#input\_aws\_anonymousip\_list) | AWS Managed AnonymousIPList, use Count or None for action. | `map(any)` | n/a | yes |
| [aws\_badinputs\_ruleset](#input\_aws\_badinputs\_ruleset) | AWS Managed KnownBadInputsRuleSet, use Count or None for action. | `map(any)` | n/a | yes |
| [aws\_common\_ruleset](#input\_aws\_common\_ruleset) | AWS Managed CommonRuleSet, use Count or None for action. | `map(any)` | n/a | yes |
| [aws\_linux\_ruleset](#input\_aws\_linux\_ruleset) | AWS Managed LinuxRuleSet, use Count or None for action. | `map(any)` | n/a | yes |
| [aws\_region](#input\_aws\_region) | Region | `string` | `"ap-southeast-1"` | no |
| [aws\_sqli\_ruleset](#input\_aws\_sqli\_ruleset) | AWS Managed SQLiRuleSet, use Count or None for action. | `map(any)` | n/a | yes |
| [block\_ips](#input\_block\_ips) | IPs to be blocked | `set(string)` | `[]` | no |
| [bots\_useragent\_throttling](#input\_bots\_useragent\_throttling) | Bots Using Specific User Agents Throttling, use Count or Block for action. | `map(any)` | n/a | yes |
| [default\_block](#input\_default\_block) | make it default to block instead of allow | `bool` | `false` | no |
| [description](#input\_description) | Description of the WAFv2 | `string` | `"-"` | no |
| [firehose\_buffer\_interval](#input\_firehose\_buffer\_interval) | Buffer incoming data for the specified period of time, in seconds, before delivering it to the destination. Valid value is between 60-900. Smaller value makes the logs delivered faster. Bigger value increase the chance to make the file size bigger, which are more efficient to query. | `number` | `300` | no |
| [firehose\_buffer\_size](#input\_firehose\_buffer\_size) | Buffer incoming data to the specified size, in MBs, before delivering it to the destination. Valid value is between 64-128. Recommended is 128, specifying a smaller buffer size can result in the delivery of very small S3 objects, which are less efficient to query. | `number` | `128` | no |
| [geolocation\_throttling](#input\_geolocation\_throttling) | Geolocation Throttling, use Count or Block for action. | `map(any)` | n/a | yes |
| [hex\_id](#input\_hex\_id) | This was legacy id used in cloudformation track | `string` | n/a | yes |
| [ipset\_block](#input\_ipset\_block) | Block the specific IPs, use Count or Block for action. | `map(any)` | n/a | yes |
| [ipset\_rate\_limit](#input\_ipset\_rate\_limit) | Rate-limit the specific IPs, use Count or Block for action. Default to Count. Set ignore\_ipset to true if you want to rate limit ALL ip addresses. Rate is how many reqs per 5 min |
object({
priority = number
action = string
ignore_ipset = bool
rate = number
}) | {
"action": "count",
"ignore_ipset": false,
"priority": -1,
"rate": 300
} | no |
| [logging\_to\_es](#input\_logging\_to\_es) | (Optional) Logging to ES, default to false. | `bool` | `false` | no |
| [logging\_to\_es\_domain\_arn](#input\_logging\_to\_es\_domain\_arn) | The ARN of ES Domain is required is logging\_to\_es is true. | `string` | `""` | no |
| [logging\_to\_es\_firehose\_buffer\_interval](#input\_logging\_to\_es\_firehose\_buffer\_interval) | The firehose\_buffer\_interval is required if `logging_to_es` is true. | `number` | `300` | no |
| [logging\_to\_es\_firehose\_buffer\_size](#input\_logging\_to\_es\_firehose\_buffer\_size) | The firehose\_buffer\_size is required if `logging_to_es` is true. | `number` | `15` | no |
| [logging\_to\_es\_index\_name](#input\_logging\_to\_es\_index\_name) | The index\_name for ES is required if `logging_to_es` is true. | `string` | `""` | no |
| [logging\_to\_es\_index\_rotation](#input\_logging\_to\_es\_index\_rotation) | The index\_rotation of ES is required if `logging_to_es` is true. | `string` | `"OneWeek"` | no |
| [logging\_to\_es\_index\_type](#input\_logging\_to\_es\_index\_type) | The index\_type of ES is required if `logging_to_es` is true. | `string` | `""` | no |
| [logging\_to\_es\_s3\_kms\_key\_arn](#input\_logging\_to\_es\_s3\_kms\_key\_arn) | The KMS key for S3 encryption, required if `logging_to_es` is true. | `string` | `""` | no |
| [logging\_to\_es\_sec\_grp\_id](#input\_logging\_to\_es\_sec\_grp\_id) | The security group of ES is required if `logging_to_es` is true. | `set(string)` | `[]` | no |
| [logging\_to\_es\_subnet\_ids](#input\_logging\_to\_es\_subnet\_ids) | The subnet ids of ES is required if `logging_to_es` is true. | `set(string)` | `[]` | no |
| [name](#input\_name) | Name of WAFv2 | `string` | `""` | no |
| [permissions\_boundary](#input\_permissions\_boundary) | Boundary required for GCC | `string` | `""` | no |
| [rate\_limit\_ips](#input\_rate\_limit\_ips) | IPs to be rate-limited | `set(string)` | `[]` | no |
| [s3\_bucket\_name](#input\_s3\_bucket\_name) | S3 Bucket for Logging | `string` | `""` | no |
| [scope](#input\_scope) | Scope of WAFv2 | `string` | `"REGIONAL"` | no |
| [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | {
"Terraform": "True"
} | no |
## Outputs
| Name | Description |
|------|-------------|
| [wafv2\_arn](#output\_wafv2\_arn) | ARN of WAFv2 |