Skip to content

Latest commit

 

History

History

dns-firewall-rule-group

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
main.tf
main.tf
 
 
outputs.tf
outputs.tf
 
 
ram-share.tf
ram-share.tf
 
 
resource-group.tf
resource-group.tf
 
 
variables.tf
variables.tf
 
 
versions.tf
versions.tf
 
 

README.md

dns-firewall-rule-group

This module creates following resources.

  • aws_route53_resolver_firewall_rule_group
  • aws_route53_resolver_firewall_rule (optional)

Requirements

Name Version
terraform >= 1.5
aws >= 4.14

Providers

Name Version
aws 5.19.0

Modules

Name Source Version
resource_group tedilabs/misc/aws//modules/resource-group ~> 0.10.0
share tedilabs/account/aws//modules/ram-share ~> 0.23.0

Resources

Name Type
aws_route53_resolver_firewall_rule.this resource
aws_route53_resolver_firewall_rule_group.this resource

Inputs

Name Description Type Default Required
name (Required) Friendly name of the firewall rule group. string n/a yes
description (Optional) The description of the firewall rule group. string "Managed by Terraform." no
module_tags_enabled (Optional) Whether to create AWS Resource Tags for the module informations. bool true no
resource_group_description (Optional) The description of Resource Group. string "Managed by Terraform." no
resource_group_enabled (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. bool true no
resource_group_name (Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with AWS or aws. string "" no
rules (Optional) The rules that you define for the firewall rule group determine the filtering behavior. Each rule consists of a priority, a domain list, and action. Each item of rules block as defined below.
(Required) priority - Determine the processing order of the rule in the rule group. DNS Firewall processes the rules in a rule group by order of priority, starting from the lowest priority.
(Required) name - A name that lets you identify the rule.
(Optional) description - The description of the rule.
(Required) domain_list - The ID of the domain list that you want to use in the rule.
(Required) action - The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list. Valid values are ALLOW, BLOCK, ALERT.
(Optional) action_parameters - The configuration block for the parameters of the rule action. Only required with BLOCK action. action_parameters block as defined below.
(Required) response - The way that you want DNS Firewall to block the request. Valid values are NODATA, NXDOMAIN, OVERRIDE. NODATA indicates that this query was successful, but there is no response available for the query. NXDOMAIN indicates that the domain name that's in the query doesn't exist. OVERRIDE provides a custom override response to the query.
(Optional) override - The configuration for a custom override response to the query. Only required with OVERRIDE block response.
(Required) type - The DNS record's type. This determines the format of the record value that you provided in BlockOverrideDomain. Value values are CNAME.
(Required) value - The custom DNS record to send back in response to the query.
(Required) ttl - The recommended amount of time, in seconds, for the DNS resolver or web browser to cache the provided override record. Minimum value of 0. Maximum value of 604800.		 
list(object({
    priority    = number
    name        = string
    description = optional(string, "Managed by Terraform.")
    domain_list = string

    action = string
    action_parameters = optional(object({
      response = optional(string)
      override = optional(object({
        type  = string
        value = string
        ttl   = number
      }))
    }))
  }))
 [] no
shares (Optional) A list of resource shares via RAM (Resource Access Manager). 
list(object({
    name = optional(string)

    permissions = optional(set(string), ["AWSRAMDefaultPermissionResolverFirewallRuleGroup"])

    external_principals_allowed = optional(bool, false)
    principals                  = optional(set(string), [])

    tags = optional(map(string), {})
  }))
 [] no
tags (Optional) A map of tags to add to all resources. map(string) {} no

Outputs

Name Description
arn The ARN of the firewall rule group.
id The ID of the firewall rule group.
name The name of the firewall rule group.
owner_id The AWS Account ID for the account that created the rule group.
rules The rules of the firewall rule group.
sharing The configuration for sharing of the Route53 Resolver DNS Firewall Rule Group.
status - An indication of whether the rule group is shared with other AWS accounts, or was shared with the current account by another AWS account. Sharing is configured through AWS Resource Access Manager (AWS RAM). Values are NOT_SHARED, SHARED_BY_ME or SHARED_WITH_ME.
shares - The list of resource shares via RAM (Resource Access Manager).