Skip to content

GovTechSG/terraform-waf-v2-es

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

17 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Requirements

No requirements.

Providers

Name Version
aws n/a
aws.wafv2 n/a

Modules

No modules.

Resources

Name Type
aws_iam_policy.allow_es_actions resource
aws_iam_role.firehose resource
aws_iam_role_policy_attachment.firehose_on_es resource
aws_kinesis_firehose_delivery_stream.waf resource
aws_kinesis_firehose_delivery_stream.waf-to-es resource
aws_wafv2_ip_set.ipset-allow resource
aws_wafv2_ip_set.ipset-block resource
aws_wafv2_ip_set.ipset-rate-limit resource
aws_wafv2_web_acl.main resource
aws_wafv2_web_acl_association.waf_association resource
aws_iam_policy_document.allow_es_actions data source
aws_iam_policy_document.firehose_role_assume_policy data source

Inputs

Name Description Type Default Required
allow_ips IPs to be always allowed (the action is Allow) set(string) [] no
association_resource_arns Resources you want to associate with WAF set(string) [] no
aws_anonymousip_list AWS Managed AnonymousIPList, use Count or None for action. map(any) n/a yes
aws_badinputs_ruleset AWS Managed KnownBadInputsRuleSet, use Count or None for action. map(any) n/a yes
aws_common_ruleset AWS Managed CommonRuleSet, use Count or None for action. map(any) n/a yes
aws_linux_ruleset AWS Managed LinuxRuleSet, use Count or None for action. map(any) n/a yes
aws_region Region string "ap-southeast-1" no
aws_sqli_ruleset AWS Managed SQLiRuleSet, use Count or None for action. map(any) n/a yes
block_ips IPs to be blocked set(string) [] no
bots_useragent_throttling Bots Using Specific User Agents Throttling, use Count or Block for action. map(any) n/a yes
default_block make it default to block instead of allow bool false no
description Description of the WAFv2 string "-" no
firehose_buffer_interval Buffer incoming data for the specified period of time, in seconds, before delivering it to the destination. Valid value is between 60-900. Smaller value makes the logs delivered faster. Bigger value increase the chance to make the file size bigger, which are more efficient to query. number 300 no
firehose_buffer_size Buffer incoming data to the specified size, in MBs, before delivering it to the destination. Valid value is between 64-128. Recommended is 128, specifying a smaller buffer size can result in the delivery of very small S3 objects, which are less efficient to query. number 128 no
geolocation_throttling Geolocation Throttling, use Count or Block for action. map(any) n/a yes
hex_id This was legacy id used in cloudformation track string n/a yes
ipset_block Block the specific IPs, use Count or Block for action. map(any) n/a yes
ipset_rate_limit Rate-limit the specific IPs, use Count or Block for action. Default to Count. Set ignore_ipset to true if you want to rate limit ALL ip addresses. Rate is how many reqs per 5 min
object({
priority = number
action = string
ignore_ipset = bool
rate = number
})
{
"action": "count",
"ignore_ipset": false,
"priority": -1,
"rate": 300
}
no
logging_to_es (Optional) Logging to ES, default to false. bool false no
logging_to_es_domain_arn The ARN of ES Domain is required is logging_to_es is true. string "" no
logging_to_es_firehose_buffer_interval The firehose_buffer_interval is required if logging_to_es is true. number 300 no
logging_to_es_firehose_buffer_size The firehose_buffer_size is required if logging_to_es is true. number 15 no
logging_to_es_index_name The index_name for ES is required if logging_to_es is true. string "" no
logging_to_es_index_rotation The index_rotation of ES is required if logging_to_es is true. string "OneWeek" no
logging_to_es_index_type The index_type of ES is required if logging_to_es is true. string "" no
logging_to_es_s3_kms_key_arn The KMS key for S3 encryption, required if logging_to_es is true. string "" no
logging_to_es_sec_grp_id The security group of ES is required if logging_to_es is true. set(string) [] no
logging_to_es_subnet_ids The subnet ids of ES is required if logging_to_es is true. set(string) [] no
name Name of WAFv2 string "" no
permissions_boundary Boundary required for GCC string "" no
rate_limit_ips IPs to be rate-limited set(string) [] no
s3_bucket_name S3 Bucket for Logging string "" no
scope Scope of WAFv2 string "REGIONAL" no
tags A map of tags to add to all resources map(string)
{
"Terraform": "True"
}
no

Outputs

Name Description
wafv2_arn ARN of WAFv2

About

No description or website provided.

Topics

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages