| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263 | module "waf" {  source = "../../../submodules/wafv2"  # Custom to resource  allowed_ips            = [] # bypasses filters, so should not be needed/used unless warranted  admin_ips              = concat(local.zscalar_ips, local.admin_ips)  additional_blocked_ips = [] # NOTE: There is a standard list in the submodule  resource_arn           = aws_lb.searchhead-alb.arn  fqdns = concat( # first entry in list will be the WAF name    module.public_dns_record_cust-elb.forward,    # example, to add additional valid hostnames    #    keys(module.public_dns_record_cust-auth-elb.forward),  )  excluded_rules_AWSManagedRulesCommonRuleSet = [    "SizeRestrictions_BODY",    "SizeRestrictions_QUERYSTRING",    "RestrictedExtensions_URIPATH",    "EC2MetaDataSSRF_BODY",    "GenericLFI_BODY",  ]  excluded_rules_AWSManagedRulesSQLiRuleSet = [    "SQLi_QUERYARGUMENTS",    "SQLi_BODY",  ]  excluded_rules_AWSManagedRulesUnixRuleSet = [    "UNIXShellCommandsVariables_BODY",    "UNIXShellCommandsVariables_QUERYARGUMENTS",  ]  # These are passed through and should be the same for module  tags           = merge(local.standard_tags, var.tags)  aws_partition  = var.aws_partition  aws_region     = var.aws_region  aws_account_id = var.aws_account_id}# Example: If you want to attach the WAF to an additional ALB## Share a WAF for both services, should be cheaper due to scale, but can be easily separated out# using the commented section below, if the need arises.#resource "aws_wafv2_web_acl_association" "associate-auth-to-waf" {#  resource_arn = aws_lb.searchhead-auth-alb.arn#  web_acl_arn  = module.waf.web_acl_id#}# Example: If you want a second WAF, that should be straightforward#module "waf-auth" {#  source = "../../../submodules/wafv2"##  # Custom to resource#  allowed_ips = [ ] # bypasses filters, so should not be needed/used unless warranted#  additional_blocked_ips = [ ] # NOTE: There is a standard list in the submodule#  resource_arn = aws_lb.searchhead-auth-alb.arn#  fqdns = keys(module.public_dns_record_cust-auth-elb.forward) # first entry in list will be the WAF name##  # These are passed through and should be the same for module#  tags = merge(local.standard_tags, var.tags)#  aws_partition = var.aws_partition#  aws_region = var.aws_region#  aws_account_id = var.aws_account_id#}
 |