generated from appvia/terraform-aws-module-template
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathvariables.tf
203 lines (171 loc) · 5.03 KB
/
variables.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
variable "availability_zones" {
description = "Number of availability zones to deploy into"
type = number
validation {
condition = var.availability_zones > 0
error_message = "Availability zones must be greater than 0"
}
}
variable "dashboard_bucket" {
description = "The name of the S3 bucket to store the CloudWatch Insights dashboard"
type = string
default = "lza-inspection-cw-dashboard"
}
variable "dashboard_key" {
description = "The name of the S3 bucket key to store the CloudWatch Insights dashboard"
type = string
default = "nfw-cloudwatch-dashboard.yml"
}
variable "enable_dashboard" {
description = "Indicates we should deploy the CloudWatch Insights dashboard"
type = bool
default = false
}
variable "enable_policy_change_protection" {
description = "Indicates the firewall policy should be protected from changes"
type = bool
default = false
}
variable "enable_subnet_change_protection" {
description = "Indicates the firewall subnets should be protected from changes"
type = bool
default = false
}
variable "enable_egress" {
description = "Indicates the inspectio vpc should have egress enabled"
type = bool
default = false
}
variable "name" {
description = "Name of the environment to deploy into"
type = string
}
variable "tags" {
description = "Tags to apply to all resources"
type = map(string)
}
variable "create_kms_key" {
description = "Create a KMS key for CloudWatch logs"
type = bool
default = false
}
variable "cloudwatch_kms" {
description = "Name of the KMS key to use for CloudWatch logs"
type = string
default = ""
}
variable "cloudwatch_retention_in_days" {
description = "Number of days to retain CloudWatch logs"
type = number
default = 30
validation {
condition = var.cloudwatch_retention_in_days > 0
error_message = "CloudWatch retention must be greater than 0"
}
}
variable "transit_gateway_id" {
description = "The ID of the Transit Gateway"
type = string
}
variable "private_subnet_netmask" {
description = "Netmask for the private subnets"
type = number
default = 24
}
variable "public_subnet_netmask" {
description = "Netmask for the public subnets"
type = number
default = 0
}
variable "vpc_cidr" {
description = "CIDR block for the VPC"
type = string
default = "100.64.0.0/21"
}
variable "ram_principals" {
description = "A list of principals to share the firewall policy with"
type = map(string)
default = {}
}
variable "ip_prefixes" {
description = "A collection of ip sets which can be referenced by the rules"
type = map(object({
name = string
address_family = string
max_entries = number
description = string
entries = list(object({
cidr = string
description = string
}))
}))
default = {}
}
variable "firewall_rules" {
description = "A collection of firewall rules to add to the policy"
type = list(object({
name = string
content = string
}))
default = null
}
variable "network_cidr_blocks" {
description = "List of CIDR blocks defining the aws environment"
type = list(string)
default = ["10.0.0.0/8", "192.168.0.0/24"]
validation {
condition = length(var.network_cidr_blocks) > 0
error_message = "At least one network CIDR block must be defined"
}
}
variable "stateful_capacity" {
description = "The number of stateful rule groups to create"
type = number
default = 5000
validation {
condition = var.stateful_capacity > 0
error_message = "Stateful capacity must be greater than 0"
}
validation {
condition = var.stateful_capacity <= 30000
error_message = "Stateful capacity must be less than or equal to 30000"
}
}
variable "external_rule_groups" {
description = "A collection of additional rule groups to add to the policy"
type = list(object({
priority = number
arn = string
}))
default = null
}
variable "policy_variables" {
description = "A map of policy variables made available to the suricata rules"
type = map(list(string))
default = {}
}
variable "vpc_id" {
description = "If reusing an existing VPC, provide the VPC ID and private subnets ids"
type = string
default = ""
}
variable "private_subnet_id_by_az" {
description = "If reusing an existing VPC, provider a map of az to subnet id"
type = map(string)
default = {}
}
variable "transit_route_table_ids" {
description = "If reusing an existing VPC, provide the transit route table ids"
type = list(string)
default = []
}
variable "public_route_table_ids" {
description = "If reusing an existing VPC, provide the public route table ids"
type = list(string)
default = []
}
variable "transit_route_table_by_az" {
description = "If reusing an existing VPC, provider a map of az to subnet id"
type = map(string)
default = {}
}