-
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathlocals.tf
136 lines (129 loc) · 3.84 KB
/
locals.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
# Local Values
# https://www.terraform.io/docs/language/values/locals.html
locals {
gateway_domains = keys(var.gateway_dns)
preconfigured_waf_rules = [
# Google Cloud Armor provides preconfigured WAF rules, each consisting of multiple signatures sourced from:
# https://github.com/coreruleset/coreruleset/releases/tag/v3.3.3
# Each signature has a sensitivity level that corresponds to a ModSecurity paranoia level. You can select a
# sensitivity between 0 and 4, though sensitivity level 0 means that no rules are enabled by default.
# A lower sensitivity level indicates higher confidence signatures, which are less likely to generate a false positive.
# A higher sensitivity level increases security, but also increases the risk of generating a false positive.
{
name = "sqli-v33-stable"
action = "deny(403)"
description = "OWASP: SQL injection"
preview = false
priority = 10000
sensitivity = 1
},
{
name = "xss-v33-stable"
action = "deny(403)"
description = "OWASP: Cross-site scripting"
preview = false
priority = 10010
sensitivity = 1
},
{
name = "lfi-v33-stable"
action = "deny(403)"
description = "OWASP: Local file inclusion"
preview = false
priority = 10020
sensitivity = 1
},
{
name = "rfi-v33-stable"
action = "deny(403)"
description = "OWASP: Remote file inclusion"
preview = false
priority = 10030
sensitivity = 1
},
{
name = "rce-v33-stable"
action = "deny(403)"
description = "OWASP: Remote code execution"
preview = false
priority = 10040
sensitivity = 1
},
{
name = "methodenforcement-v33-stable"
action = "deny(403)"
description = "OWASP: Method enforcement"
preview = false
priority = 10050
sensitivity = 1
},
{
name = "scannerdetection-v33-stable"
action = "deny(403)"
description = "OWASP: Scanner detection"
preview = false
priority = 10060
sensitivity = 1
},
{
name = "protocolattack-v33-stable"
action = "deny(403)"
description = "OWASP: Protocol attack"
preview = false
priority = 10070
sensitivity = 1
},
{
name = "php-v33-stable"
action = "deny(403)"
description = "OWASP: PHP injection attack"
preview = false
priority = 10080
sensitivity = 1
},
{
name = "sessionfixation-v33-stable"
action = "deny(403)"
description = "OWASP: Session fixation"
preview = false
priority = 10090
sensitivity = 1
},
{
name = "java-v33-stable"
action = "deny(403)"
description = "OWASP: Java attack"
preview = false
priority = 10100
sensitivity = 1
},
{
name = "nodejs-v33-stable"
action = "deny(403)"
description = "OWASP: NodeJS attack"
preview = false
priority = 10110
sensitivity = 1
},
# Additional rules that detect and optionally block the following
# vulnerabilities:
# CVE-2021-44228 and CVE-2021-45046 Log4j RCE vulnerabilities
# 942550-sqli JSON-formatted content vulnerability
{
name = "cve-canary"
action = "deny(403)"
description = "Log4j vulnerability"
preview = false
priority = 10120
sensitivity = 1
},
{
name = "json-sqli-canary"
action = "deny(403)"
description = "JSON-based SQL injection bypass vulnerability"
preview = false
priority = 10130
sensitivity = 1
}
]
}