| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748 |
- module "waf" {
- source = "../../../submodules/wafv2"
- # Custom to resource
- allowed_ips = [ ] # bypasses filters, so should not be needed/used unless warranted
- admin_ips = concat(var.zscalar_ips, var.admin_ips)
- additional_blocked_ips = [ ] # NOTE: There is a standard list in the submodule
- resource_arn = aws_lb.searchhead-alb.arn
- fqdns = concat( # first entry in list will be the WAF name
- keys(module.public_dns_record_cust-elb.forward),
- # example, to add additional valid hostnames
- # keys(module.public_dns_record_cust-auth-elb.forward),
- )
- # These are passed through and should be the same for module
- tags = merge(var.standard_tags, var.tags)
- aws_partition = var.aws_partition
- aws_region = var.aws_region
- aws_account_id = var.aws_account_id
- }
- # Example: If you want to attach the WAF to an additional ALB
- #
- # Share a WAF for both services, should be cheaper due to scale, but can be easily separated out
- # using the commented section below, if the need arises.
- #resource "aws_wafv2_web_acl_association" "associate-auth-to-waf" {
- # resource_arn = aws_lb.searchhead-auth-alb.arn
- # web_acl_arn = module.waf.web_acl_id
- #}
- # Example: If you want a second WAF, that should be straightforward
- #module "waf-auth" {
- # source = "../../../submodules/wafv2"
- #
- # # Custom to resource
- # allowed_ips = [ ] # bypasses filters, so should not be needed/used unless warranted
- # additional_blocked_ips = [ ] # NOTE: There is a standard list in the submodule
- # resource_arn = aws_lb.searchhead-auth-alb.arn
- # fqdns = keys(module.public_dns_record_cust-auth-elb.forward) # first entry in list will be the WAF name
- #
- # # These are passed through and should be the same for module
- # tags = merge(var.standard_tags, var.tags)
- # aws_partition = var.aws_partition
- # aws_region = var.aws_region
- # aws_account_id = var.aws_account_id
- #}
|
