No requirements.
| Name | Version |
|---|---|
| aws | n/a |
| aws.wafv2 | n/a |
No modules.
| Name | Type |
|---|---|
| aws_iam_policy.allow_es_actions | resource |
| aws_iam_role.firehose | resource |
| aws_iam_role_policy_attachment.firehose_on_es | resource |
| aws_kinesis_firehose_delivery_stream.waf | resource |
| aws_kinesis_firehose_delivery_stream.waf-to-es | resource |
| aws_wafv2_ip_set.ipset-allow | resource |
| aws_wafv2_ip_set.ipset-block | resource |
| aws_wafv2_ip_set.ipset-rate-limit | resource |
| aws_wafv2_web_acl.main | resource |
| aws_wafv2_web_acl_association.waf_association | resource |
| aws_iam_policy_document.allow_es_actions | data source |
| aws_iam_policy_document.firehose_role_assume_policy | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| allow_ips | IPs to be always allowed (the action is Allow) | set(string) |
[] |
no |
| association_resource_arns | Resources you want to associate with WAF | set(string) |
[] |
no |
| aws_anonymousip_list | AWS Managed AnonymousIPList, use Count or None for action. | map(any) |
n/a | yes |
| aws_badinputs_ruleset | AWS Managed KnownBadInputsRuleSet, use Count or None for action. | map(any) |
n/a | yes |
| aws_common_ruleset | AWS Managed CommonRuleSet, use Count or None for action. | map(any) |
n/a | yes |
| aws_linux_ruleset | AWS Managed LinuxRuleSet, use Count or None for action. | map(any) |
n/a | yes |
| aws_region | Region | string |
"ap-southeast-1" |
no |
| aws_sqli_ruleset | AWS Managed SQLiRuleSet, use Count or None for action. | map(any) |
n/a | yes |
| block_ips | IPs to be blocked | set(string) |
[] |
no |
| bots_useragent_throttling | Bots Using Specific User Agents Throttling, use Count or Block for action. | map(any) |
n/a | yes |
| default_block | make it default to block instead of allow | bool |
false |
no |
| description | Description of the WAFv2 | string |
"-" |
no |
| firehose_buffer_interval | Buffer incoming data for the specified period of time, in seconds, before delivering it to the destination. Valid value is between 60-900. Smaller value makes the logs delivered faster. Bigger value increase the chance to make the file size bigger, which are more efficient to query. | number |
300 |
no |
| firehose_buffer_size | Buffer incoming data to the specified size, in MBs, before delivering it to the destination. Valid value is between 64-128. Recommended is 128, specifying a smaller buffer size can result in the delivery of very small S3 objects, which are less efficient to query. | number |
128 |
no |
| geolocation_throttling | Geolocation Throttling, use Count or Block for action. | map(any) |
n/a | yes |
| hex_id | This was legacy id used in cloudformation track | string |
n/a | yes |
| ipset_block | Block the specific IPs, use Count or Block for action. | map(any) |
n/a | yes |
| ipset_rate_limit | Rate-limit the specific IPs, use Count or Block for action. Default to Count. Set ignore_ipset to true if you want to rate limit ALL ip addresses. Rate is how many reqs per 5 min | object({ |
{ |
no |
| logging_to_es | (Optional) Logging to ES, default to false. | bool |
false |
no |
| logging_to_es_domain_arn | The ARN of ES Domain is required is logging_to_es is true. | string |
"" |
no |
| logging_to_es_firehose_buffer_interval | The firehose_buffer_interval is required if logging_to_es is true. |
number |
300 |
no |
| logging_to_es_firehose_buffer_size | The firehose_buffer_size is required if logging_to_es is true. |
number |
15 |
no |
| logging_to_es_index_name | The index_name for ES is required if logging_to_es is true. |
string |
"" |
no |
| logging_to_es_index_rotation | The index_rotation of ES is required if logging_to_es is true. |
string |
"OneWeek" |
no |
| logging_to_es_index_type | The index_type of ES is required if logging_to_es is true. |
string |
"" |
no |
| logging_to_es_s3_kms_key_arn | The KMS key for S3 encryption, required if logging_to_es is true. |
string |
"" |
no |
| logging_to_es_sec_grp_id | The security group of ES is required if logging_to_es is true. |
set(string) |
[] |
no |
| logging_to_es_subnet_ids | The subnet ids of ES is required if logging_to_es is true. |
set(string) |
[] |
no |
| name | Name of WAFv2 | string |
"" |
no |
| permissions_boundary | Boundary required for GCC | string |
"" |
no |
| rate_limit_ips | IPs to be rate-limited | set(string) |
[] |
no |
| s3_bucket_name | S3 Bucket for Logging | string |
"" |
no |
| scope | Scope of WAFv2 | string |
"REGIONAL" |
no |
| tags | A map of tags to add to all resources | map(string) |
{ |
no |
| Name | Description |
|---|---|
| wafv2_arn | ARN of WAFv2 |