-
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathvariables.tf
66 lines (60 loc) · 2.53 KB
/
variables.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
variable "vpc_id" {
type = string
description = "VPC ID"
}
variable "firewall_fail_open" {
type = string
description = <<-EOF
Determines how Route 53 Resolver handles queries during failures, for example when all traffic that is sent to DNS Firewall fails to receive a reply.
By default, fail open is disabled, which means the failure mode is closed.
This approach favors security over availability. DNS Firewall blocks queries that it is unable to evaluate properly.
If you enable this option, the failure mode is open. This approach favors availability over security.
In this case, DNS Firewall allows queries to proceed if it is unable to properly evaluate them.
Valid values: ENABLED, DISABLED.
EOF
default = "ENABLED"
}
variable "query_log_enabled" {
type = bool
description = "Flag to enable/disable Route 53 Resolver query logging"
default = false
}
variable "query_log_destination_arn" {
type = string
description = <<-EOF
The ARN of the resource that you want Route 53 Resolver to send query logs.
You can send query logs to an S3 bucket, a CloudWatch Logs log group, or a Kinesis Data Firehose delivery stream.
EOF
default = null
}
variable "query_log_config_name" {
type = string
description = "Route 53 Resolver query log config name. If omitted, the name will be generated by concatenating the ID from the context with the VPC ID"
default = null
}
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_firewall_domain_list
variable "domains_config" {
type = map(object({
domains = optional(list(string))
domains_file = optional(string)
}))
description = "Map of Route 53 Resolver DNS Firewall domain configurations"
}
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_firewall_rule_group
variable "rule_groups_config" {
type = map(object({
priority = number
mutation_protection = optional(string)
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_firewall_rule
rules = map(object({
action = string
priority = number
block_override_dns_type = optional(string)
block_override_domain = optional(string)
block_override_ttl = optional(number)
block_response = optional(string)
firewall_domain_list_name = string
}))
}))
description = "Rule groups and rules configuration"
}