AFS
/
xdr-terraform-modules


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204
							variable "name" {
  description = "The shortname for DNS and resources."
  type        = string
}

variable "subject_alternative_names" {
  description = "List of alternative names for the certificate."
  type        = list(string)
  default     = []
}

variable "redirect_80" {
  description = "True sets up a redirect from 80 to listener port"
  type        = bool
  default     = false
}

variable "target_ids" {
  description = "List of targets to assign to the ALB"
  type        = set(string)
}

variable "allow_from_any" {
  description = "Open the ALB to 0.0.0.0/0? If not, you must create your own rules."
  type        = bool
  default     = true
}

variable "listener_port" {
  description = "Public Facing Port"
  type        = number
}

variable "target_port" {
  description = "Port on Instance"
  type        = number
}

variable "target_protocol" {
  description = "Protocol on Instance"
  type        = string
}

variable "target_security_group" {
  description = "A target security group to allow egress from the ALB"
  type        = string
}

# Health Check Variables have sane defaults
variable "healthcheck_port" {
  description = "Health Check Port on Instance"
  type        = number
  default     = null
}

variable "healthcheck_protocol" {
  description = "Health Check Protocol on Instance"
  type        = string
  default     = null
}

variable "healthcheck_path" {
  description = "Health Check Path on Instance"
  type        = string
  default     = "/"
}

variable "healthcheck_matcher" {
  description = "Health Check Match Conditions"
  type        = string
  default     = "200,302"
}

variable "stickiness" {
  description = "Session Stickiness enabled?"
  type        = bool
  default     = false
}

locals {
  healthcheck_port     = var.healthcheck_port == null ? var.target_port : var.healthcheck_port
  healthcheck_protocol = var.healthcheck_protocol == null ? var.target_protocol : var.healthcheck_protocol
}

# WAF passthrough variables
variable "waf_enabled" {
  type        = bool
  description = "Enable the standard WAF?"
}

variable "fqdns" {
  description = "List of FQDNs to allow through the WAF"
  type        = list(string)
  default     = [] # Default will allow nothing through, so only valid if waf_enabled is false
}

## Excluded Rules
variable "excluded_rules_AWSManagedRulesCommonRuleSet" {
  type = list(string)
  default = [
    "SizeRestrictions_BODY" # Breaks too many things
  ]
}

variable "excluded_rules_AWSManagedRulesAmazonIpReputationList" {
  type    = list(string)
  default = []
}

variable "excluded_rules_AWSManagedRulesKnownBadInputsRuleSet" {
  type    = list(string)
  default = []
}

variable "excluded_rules_AWSManagedRulesSQLiRuleSet" {
  type    = list(string)
  default = []
}

variable "excluded_rules_AWSManagedRulesLinuxRuleSet" {
  type    = list(string)
  default = []
}

variable "excluded_rules_AWSManagedRulesUnixRuleSet" {
  type    = list(string)
  default = []
}

## Exclude Entire Sets
variable "excluded_set_AWSManagedRulesCommonRuleSet" {
  type    = bool
  default = null
}

variable "excluded_set_AWSManagedRulesAmazonIpReputationList" {
  type    = bool
  default = null
}

variable "excluded_set_AWSManagedRulesKnownBadInputsRuleSet" {
  type    = bool
  default = null
}

variable "excluded_set_AWSManagedRulesSQLiRuleSet" {
  type    = bool
  default = null
}

variable "excluded_set_AWSManagedRulesLinuxRuleSet" {
  type    = bool
  default = null
}

variable "excluded_set_AWSManagedRulesUnixRuleSet" {
  type    = bool
  default = null
}

variable "block_settings" {
  type = object(
    {
      default                               = bool, # Default action. False = count
      custom                                = bool, # XDR Custom Rules. False = count
      admin                                 = bool, # Block /admin access to admin IPs
      AWSManagedRulesCommonRuleSet          = bool,
      AWSManagedRulesAmazonIpReputationList = bool,
      AWSManagedRulesKnownBadInputsRuleSet  = bool,
      AWSManagedRulesSQLiRuleSet            = bool,
      AWSManagedRulesLinuxRuleSet           = bool,
      AWSManagedRulesUnixRuleSet            = bool,
    }
  )
  default = null
}

variable "additional_blocked_ips" {
  description = "IP addresses that are blocked, in addition to the defaults."
  type        = list(string)
  default     = []
}

variable "allowed_ips" {
  description = "IP Addresses that are always allowed"
  type        = list(string)
  default     = []
}

variable "admin_ips" {
  description = "IP Addressed that are allowed to the admin interface"
  type        = list(string)
  default     = []
}

# Inherited variables
variable "dns_info" { type = map(any) }
variable "tags" { type = map(any) }
variable "public_subnets" { type = list(any) }
variable "environment" { type = string }
variable "vpc_id" { type = string }
variable "aws_partition" { type = string }
variable "aws_region" { type = string }
variable "aws_account_id" { type = string }