Tuesday 7 June 2022

Waf-v2 as module

module "aws_wafv2_web_acl_waf" {
  source  = "umotif-public/waf-webaclv2/aws"
  version = "~> 3.0.0"

  name_prefix            = "${var.environment}_WAF"
  description            = "${var.environment}_WAF"
  scope                  = var.scope
  create_alb_association = false
  allow_default_action   = true # set to allow if not specified

  tags = {
    product-name = "common"
  }

  visibility_config = {
    cloudwatch_metrics_enabled = true
    metric_name                = "${var.environment}_WAF"
    sampled_requests_enabled   = true
  }

  rules = [
    for rule in var.managed_rules :
    {
      name     = rule.rule_name
      priority = index(var.managed_rules[*].rule_name, rule.rule_name)

      override_action = rule.mode == "allow" ? "count" : "none"

      visibility_config = {
        cloudwatch_metrics_enabled = true
        metric_name                = rule.rule_name
        sampled_requests_enabled   = true
      }

      managed_rule_group_statement = {
        name          = rule.rule_name
        vendor_name   = rule.provider_name
        excluded_rule = rule.exceptions
      }
    }
  ]

}

-----------------------------------------------------------------------------------------------------------------------------

managed_rules = [
  {
    provider_name = "F5"
    rule_name     = "OWASP_Managed"
    exceptions    = [
      "rule_XSS_script_tag__Parameter__AllQueryArguments_Body",
      "rule_div_tag__behavior__Parameter__AllQueryArguments_Body",
      "rule_Java_code_injection___org_apache_commons_collections_AllQueryArguments_Body"
    ]
    mode          = "allow"
  },
   {
     provider_name = "AWS"
     rule_name     = "AWSManagedRulesAnonymousIpList"
     exceptions    = ["HostingProviderIPList"]
     mode          = "block"
   },
   {
     provider_name = "AWS"
     rule_name     = "AWSManagedRulesAmazonIpReputationList"
     exceptions    = []
     mode          = "block"
   }
]

-----------------------------------------------------------------------------------------------------------------------------

variable "environment" {
  description = "The name of the environment"
  type        = string
}

variable "scope" {
  description = "The name of resource CLOUDFRONT/REGIONAL only options (if regional declare in tf vars file)"
  type        = string
  default     = "CLOUDFRONT"
}

variable "managed_rules" {
  description = "the managed rules name in order (make sure not to cross 1500 wcu's)"
  type = list(object({
    provider_name = string
    rule_name     = string
    exceptions    = list(string)
    mode          = string
  }))
}
Posted by at No comments:
Subscribe to: Posts (Atom)