generated from clowdhaus/terraform-aws-module-template
-
-
Notifications
You must be signed in to change notification settings - Fork 14
/
Copy pathvariables.tf
198 lines (166 loc) · 6.94 KB
/
variables.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
variable "create" {
description = "Controls if resources should be created"
type = bool
default = true
}
variable "tags" {
description = "A map of tags to add to all resources"
type = map(string)
default = {}
}
################################################################################
# Firewall
################################################################################
variable "delete_protection" {
description = "A boolean flag indicating whether it is possible to delete the firewall. Defaults to `true`"
type = bool
default = true
}
variable "description" {
description = "A friendly description of the firewall"
type = string
default = ""
}
variable "encryption_configuration" {
description = "KMS encryption configuration settings"
type = any
default = {}
}
variable "firewall_policy_arn" {
description = "The ARN of the Firewall Policy to use"
type = string
default = ""
}
variable "firewall_policy_change_protection" {
description = "A boolean flag indicating whether it is possible to change the associated firewall policy. Defaults to `false`"
type = bool
default = null
}
variable "name" {
description = "A friendly name of the firewall"
type = string
default = ""
}
variable "subnet_change_protection" {
description = "A boolean flag indicating whether it is possible to change the associated subnet(s). Defaults to `true`"
type = bool
default = true
}
variable "subnet_mapping" {
description = "Set of configuration blocks describing the public subnets. Each subnet must belong to a different Availability Zone in the VPC. AWS Network Firewall creates a firewall endpoint in each subnet"
type = any
default = {}
}
variable "vpc_id" {
description = "The unique identifier of the VPC where AWS Network Firewall should create the firewall"
type = string
default = ""
}
################################################################################
# Firewall Logging Configuration
################################################################################
variable "create_logging_configuration" {
description = "Controls if a Logging Configuration should be created"
type = bool
default = false
}
variable "logging_configuration_destination_config" {
description = "A list of min 1, max 2 configuration blocks describing the destination for the logging configuration"
type = any
default = []
}
################################################################################
# Firewall Policy
################################################################################
variable "create_policy" {
description = "Controls if policy should be created"
type = bool
default = true
}
variable "policy_description" {
description = "A friendly description of the firewall policy"
type = string
default = null
}
variable "policy_encryption_configuration" {
description = "KMS encryption configuration settings"
type = any
default = {}
}
variable "policy_stateful_default_actions" {
description = "Set of actions to take on a packet if it does not match any stateful rules in the policy. This can only be specified if the policy has a `stateful_engine_options` block with a rule_order value of `STRICT_ORDER`. You can specify one of either or neither values of `aws:drop_strict` or `aws:drop_established`, as well as any combination of `aws:alert_strict` and `aws:alert_established`"
type = list(string)
default = []
}
variable "policy_stateful_engine_options" {
description = "A configuration block that defines options on how the policy handles stateful rules. See [Stateful Engine Options](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_firewall_policy#stateful-engine-options) for details"
type = any
default = {}
}
variable "policy_stateful_rule_group_reference" {
description = "Set of configuration blocks containing references to the stateful rule groups that are used in the policy. See [Stateful Rule Group Reference](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_firewall_policy#stateful-rule-group-reference) for details"
type = any
default = {}
}
variable "policy_stateless_custom_action" {
description = "Set of configuration blocks describing the custom action definitions that are available for use in the firewall policy's `stateless_default_actions`"
type = any
default = {}
}
variable "policy_stateless_default_actions" {
description = "Set of actions to take on a packet if it does not match any of the stateless rules in the policy. You must specify one of the standard actions including: `aws:drop`, `aws:pass`, or `aws:forward_to_sfe`"
type = list(string)
default = ["aws:pass"]
}
variable "policy_stateless_fragment_default_actions" {
description = "Set of actions to take on a fragmented packet if it does not match any of the stateless rules in the policy. You must specify one of the standard actions including: `aws:drop`, `aws:pass`, or `aws:forward_to_sfe`"
type = list(string)
default = ["aws:pass"]
}
variable "policy_stateless_rule_group_reference" {
description = "Set of configuration blocks containing references to the stateless rule groups that are used in the policy. See [Stateless Rule Group Reference](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_firewall_policy#stateless-rule-group-reference) for details"
type = any
default = {}
}
variable "policy_name" {
description = "A friendly name of the firewall policy"
type = string
default = ""
}
variable "policy_tags" {
description = "A map of tags to add to all resources"
type = map(string)
default = {}
}
# Resource Policy
variable "create_policy_resource_policy" {
description = "Controls if a resource policy should be created"
type = bool
default = false
}
variable "policy_resource_policy_actions" {
description = "A list of IAM actions allowed in the resource policy"
type = list(string)
default = []
}
variable "policy_resource_policy_principals" {
description = "A list of IAM principals allowed in the resource policy"
type = list(string)
default = []
}
variable "policy_attach_resource_policy" {
description = "Controls if a resource policy should be attached to the firewall policy"
type = bool
default = false
}
variable "policy_resource_policy" {
description = "The policy JSON to use for the resource policy; required when `create_resource_policy` is `false`"
type = string
default = ""
}
# RAM Resource Association
variable "policy_ram_resource_associations" {
description = "A map of RAM resource associations for the created firewall policy"
type = map(string)
default = {}
}