forked from onetwopunch/terraform-google-suricata
-
Notifications
You must be signed in to change notification settings - Fork 0
/
variables.tf
104 lines (89 loc) · 2.82 KB
/
variables.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
variable "project" {
description = "Project Id for the resources"
type = string
}
variable "network" {
description = "Self link of the network on which Suricata will be deployed and will monitor"
type = string
}
variable "subnet" {
description = "Self link of the subnet on which Suricata will be deployed"
type = string
}
variable "region" {
description = "Region for Suricata. Must match the zone of the subnet"
type = string
default = "us-central1"
}
variable "zone" {
description = "Zone for Suricata. Must match the zone of the subnet"
type = string
default = "us-central1-a"
}
variable "vm_source_image" {
description = "Source image for the Suricata VM"
type = string
default = "debian-cloud/debian-10"
}
variable "custom_rules_path" {
description = "GCS bucket path for Suricata .rules file. i.e gs://my-bucket/my.rules"
type = string
default = ""
}
variable "enable_fast_export" {
description = "If true, logs from /var/log/suricata/fast.log will be parsed and sent to Cloud Logging. These only include alerts."
type = bool
default = true
}
variable "enable_eve_export" {
description = "If true, logs from /var/log/suricata/eve.json will be parsed and sent to Cloud Logging. Note that these are much more chatty and include stats and traffic."
type = bool
default = false
}
variable "suricata_config_path" {
description = "A file path to a suricata.yaml file that you would like to override the default."
type = string
default = ""
}
variable "prefix" {
description = "Prefix of all resource names"
default = "suricata"
type = string
}
variable "target_tags" {
description = "Target tags that will be mirrored"
default = []
type = list(string)
}
variable "target_subnets" {
description = "Target subnets that will be mirrored"
default = []
type = list(string)
}
variable "target_instances" {
description = "Target instances that will be mirrored"
default = []
type = list(string)
}
variable "filter" {
description = "Filter configuration for packet mirroring"
type = object({
ip_protocols = list(string)
cidr_ranges = list(string)
direction = string
})
default = {
ip_protocols = ["tcp", "udp", "icmp"]
cidr_ranges = ["0.0.0.0/0"]
direction = "BOTH"
}
}
variable "base_priority" {
description = <<EOF
To make the IDS work with packet mirroring, we need to allow all ports access. However, we still don't want to allow SSH from anyhere.
To solve this, we have 3 firewall rules with increasing priority. The first allows all access, the second denies SSH, the third allows
SSH only from the IAP range. This value is the base priority, which is incremented for each rule.
EOF
type = number
default = 1000
}