-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathvariables.tf
148 lines (121 loc) · 3.9 KB
/
variables.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
variable "aws_region" {
description = "The region to deploy into (defaults to 'ca-central-1' for legal reasons)"
type = string
default = "ca-central-1"
}
variable "ansible_playbook_bucket_name" {
description = "The name of the S3 bucket to hold the Ansible playbooks."
type = string
default = "ctf-ansible-playbooks"
}
variable "aws_availability_zone_a" {
description = "The availability zone to deploy into (defaults to 'ca-central-1a' for legal reasons)"
type = string
default = "ca-central-1a"
}
variable "aws_availability_zone_b" {
description = "The availability zone to deploy into (defaults to 'ca-central-1b' for legal reasons)"
type = string
default = "ca-central-1b"
}
variable "vpc_cidr_block" {
description = "The IPv4 CIDR block for the CTF VPC"
type = string
default = "192.168.42.0/24"
}
variable "subnet_a_public_cidr_block" {
description = "The IPv4 CIDR block for the public subnet A"
type = string
default = "192.168.42.0/27"
}
variable "subnet_b_public_cidr_block" {
description = "The IPv4 CIDR block for the public subnet B"
type = string
default = "192.168.42.32/27"
}
variable "subnet_natgw_cidr_block" {
description = "The IPv4 CIDR block for the NAT Gateway subnet"
type = string
default = "192.168.42.64/27"
}
variable "subnet_owaspjs_cidr_block" {
description = "The IPv4 CIDR block for the OWASP Juice Shop subnet"
type = string
default = "192.168.42.96/27"
}
variable "subnet_cftd_cidr_block" {
description = "The IPv4 CIDR block for the CFTd subnet"
type = string
default = "192.168.42.128/27"
}
variable "instance_type" {
description = "The instance type to use for the CTFd and OWASP Juice Shop EC2 instances"
type = string
default = "t2.medium"
}
# AWS Managed Rules rule groups list
# https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html
variable "managed_rules" {
description = "List of AWS Managed WAF rules to apply to Web ACLs."
type = list(object({
name = string
priority = number
override_action = string
}))
validation {
condition = alltrue([for rule in var.managed_rules : contains([
"AWSManagedRulesCommonRuleSet",
"AWSManagedRulesAdminProtectionRuleSet",
"AWSManagedRulesKnownBadInputsRuleSet",
"AWSManagedRulesSQLiRuleSet",
"AWSManagedRulesLinuxRuleSet",
"AWSManagedRulesUnixRuleSet",
"AWSManagedRulesAmazonIpReputationList",
"AWSManagedRulesAnonymousIpList",
"AWSManagedRulesBotControlRuleSet",
], rule.name)])
error_message = "Unsupported AWS Managed Rule provided."
}
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#override-action
validation {
condition = alltrue([for rule in var.managed_rules : contains(["none", "count"], rule.override_action)])
error_message = "Unsupported override action, valid inputs are 'none' and 'count'."
}
default = [
{
name = "AWSManagedRulesAmazonIpReputationList",
priority = 10
override_action = "count"
},
{
name = "AWSManagedRulesCommonRuleSet",
priority = 20
override_action = "count"
},
{
name = "AWSManagedRulesKnownBadInputsRuleSet",
priority = 30
override_action = "count"
},
{
name = "AWSManagedRulesSQLiRuleSet",
priority = 40
override_action = "count"
},
{
name = "AWSManagedRulesLinuxRuleSet",
priority = 50
override_action = "count"
},
{
name = "AWSManagedRulesUnixRuleSet",
priority = 60
override_action = "count"
},
{
name = "AWSManagedRulesBotControlRuleSet",
priority = 70
override_action = "count"
},
]
}