New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Waf labels #1637
Waf labels #1637
Conversation
single_header { | ||
name = "host" | ||
dynamic "rule" { | ||
for_each = var.waf_hostnames_0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
for_each = var.waf_hostnames_0 | |
for_each = var.waf_drop_logs_hostnames |
Can we rename to remove the 0
index since this is a list of values? And rename to make the use more obvious?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
let me work on that
statement { | ||
or_statement { | ||
dynamic "statement" { | ||
for_each = var.waf_hostnames_0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wait, is the nested for_each
intentional here? With this code, I'd expect we'd get a separate rule for each hostname and three separate statements (combined with OR) within each rule
If the goal is to make the rules totally optional based on whether there are values in the variable, then rule
needs to be dynamic. If the goal is just to have a dynamic set of statements within a rule that is always deployment, then statement
here is the only thing that needs to be dynamic
Changes proposed in this pull request:
Notes
This change sets a label at the WAF layer to all internal logstash traffic so we can drop logging that specific WAF traffic to CloudWatch. We also then forward that traffic to a specific router pool
security considerations
n/a