-
Notifications
You must be signed in to change notification settings - Fork 19
/
security-variables.tf
97 lines (85 loc) · 3.65 KB
/
security-variables.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
# -----------------------------------------------------------------------------
# Cloud Guard Related Variables
# -----------------------------------------------------------------------------
variable "is_cloud_guard_enabled" {
type = bool
description = "the status of the Cloud Guard tenant (ENABLED if true or DISABLED if false)"
default = true
}
variable "is_vulnerability_scanning_service_enabled" {
type = bool
description = "the status of the vulnerability scanning service"
default = true
}
variable "host_scan_recipe_agent_settings_scan_level" {
type = string
description = "Vulnerability scanning service agent scan level"
default = "STANDARD"
}
variable "host_scan_recipe_port_settings_scan_level" {
type = string
description = "Vulnerability scanning service port scan level"
default = "STANDARD"
}
variable "agent_cis_benchmark_settings_scan_level" {
type = string
description = "Agent benchmarking settings scan level"
default = "STRICT"
}
variable "vss_scan_schedule" {
type = string
description = "Vulnerability scanning service scan schedule"
default = "DAILY"
}
# -----------------------------------------------------------------------------
# Bastion Related Variables
# -----------------------------------------------------------------------------
variable "enable_bastion" {
type = bool
description = "Do you want to enable bastion service (true/false). Choose whether or not to use bastion. If you are deploying with FastConnect and/or VPN, the Bastion is an additional and optional layer of access to your environment. If you are not, we recommend using the bastion."
default = true
}
variable "bastion_subnet_cidr_block" {
type = string
description = "CIDR Block for bastion subnet"
default = ""
}
variable "bastion_client_cidr_block_allow_list" {
type = list(string)
description = "A list of address ranges in CIDR notation that bastion is allowed to connect"
default = []
}
# -----------------------------------------------------------------------------
# Audit Logging Variables
# -----------------------------------------------------------------------------
variable "retention_rule_duration_time_amount" {
type = string
description = <<EOF
“Please note this feature is irreversible after 14 days.
Please review (and/or) unlock the retention rule before it is locked permanently.
By enabling this feature, logs will be archived in an immutable storage with locked retention rule avoiding object modification and deletion.
After the rule is locked, only increase in the retention is allowed”
EOF
default = 1
validation {
condition = var.retention_rule_duration_time_amount >= 1
error_message = "The amount of retention rule time duration should be 1 days or greater."
}
}
# -----------------------------------------------------------------------------
# VCN Flow Log Variables
# -----------------------------------------------------------------------------
variable "advanced_logging_option" {
type = string
description = "Enable or Disable VCN flow logs and/or Audit Logs. Select an option between NONE, AUDIT_LOGS, FLOW_LOGS or BOTH."
validation {
condition = can(regex("\\b(?:AUDIT_LOGS|FLOW_LOGS|BOTH|NONE)\\b", var.advanced_logging_option))
error_message = "Select an option between NONE, AUDIT_LOGS, FLOW_LOGS or BOTH."
}
default = "BOTH"
}
variable "using_third_party_siem" {
type = bool
description = "If 3rd party siem is being used, creates stream pool and stream endpoint for siem ingestion"
default = false
}