Tuesday, 7 June 2022

Waf-v2 as module

module "aws_wafv2_web_acl_waf" {
  source  = "umotif-public/waf-webaclv2/aws"
  version = "~> 3.0.0"

  name_prefix            = "${var.environment}_WAF"
  description            = "${var.environment}_WAF"
  scope                  = var.scope
  create_alb_association = false
  allow_default_action   = true # set to allow if not specified

  tags = {
    product-name = "common"
  }

  visibility_config = {
    cloudwatch_metrics_enabled = true
    metric_name                = "${var.environment}_WAF"
    sampled_requests_enabled   = true
  }

  rules = [
    for rule in var.managed_rules :
    {
      name     = rule.rule_name
      priority = index(var.managed_rules[*].rule_name, rule.rule_name)

      override_action = rule.mode == "allow" ? "count" : "none"

      visibility_config = {
        cloudwatch_metrics_enabled = true
        metric_name                = rule.rule_name
        sampled_requests_enabled   = true
      }

      managed_rule_group_statement = {
        name          = rule.rule_name
        vendor_name   = rule.provider_name
        excluded_rule = rule.exceptions
      }
    }
  ]

}

-----------------------------------------------------------------------------------------------------------------------------

managed_rules = [
  {
    provider_name = "F5"
    rule_name     = "OWASP_Managed"
    exceptions    = [
      "rule_XSS_script_tag__Parameter__AllQueryArguments_Body",
      "rule_div_tag__behavior__Parameter__AllQueryArguments_Body",
      "rule_Java_code_injection___org_apache_commons_collections_AllQueryArguments_Body"
    ]
    mode          = "allow"
  },
   {
     provider_name = "AWS"
     rule_name     = "AWSManagedRulesAnonymousIpList"
     exceptions    = ["HostingProviderIPList"]
     mode          = "block"
   },
   {
     provider_name = "AWS"
     rule_name     = "AWSManagedRulesAmazonIpReputationList"
     exceptions    = []
     mode          = "block"
   }
]

-----------------------------------------------------------------------------------------------------------------------------

variable "environment" {
  description = "The name of the environment"
  type        = string
}

variable "scope" {
  description = "The name of resource CLOUDFRONT/REGIONAL only options (if regional declare in tf vars file)"
  type        = string
  default     = "CLOUDFRONT"
}

variable "managed_rules" {
  description = "the managed rules name in order (make sure not to cross 1500 wcu's)"
  type = list(object({
    provider_name = string
    rule_name     = string
    exceptions    = list(string)
    mode          = string
  }))
}
Posted by at No comments:

Monday, 9 May 2022

Waf-v2 as resource

resource "aws_wafv2_web_acl" "web_acl_rules" {
  name        = var.web_acl_name
  description = var.web_acl_name
  scope       = var.scope

  tags = {
    product-name = "common"
  }

  default_action {
    allow {
    }
  }

  visibility_config {
    cloudwatch_metrics_enabled = true
    metric_name                = var.web_acl_name
    sampled_requests_enabled   = true
  }

  dynamic "rule" {
    for_each = var.managed_rules
    content {
      name     = "${var.web_acl_name}-${rule.value.rule_name}"
      priority = rule.key

      override_action {
        dynamic "none" {
          for_each = rule.value.mode == "block" ? [1] : []
          content {}
        }
        dynamic "count" {
          for_each = rule.value.mode == "count" ? [1] : []
          content {}
        }
      }

      statement {
        managed_rule_group_statement {
          name        = rule.value.rule_name
          vendor_name = rule.value.provider_name
          dynamic "excluded_rule" {
            for_each = rule.value.exceptions
            content {
              name = excluded_rule.value
            }
          }
        }
      }

      visibility_config {
        cloudwatch_metrics_enabled = true
        metric_name                = "${var.web_acl_name}-${rule.value.rule_name}"
        sampled_requests_enabled   = true
      }
    }
  }
}

-----------------------------------------------------------------------------------------------------------------------------

scope = "REGIONAL"

managed_rules = [
  {
    provider_name = "F5"
    rule_name     = "OWASP_Managed"
    exceptions    = ["rule_XML_External_Entity__XXE__injection_attempt__Content__AllQueryArguments_Body"]
    mode          = "allow"
  },
  {
    provider_name = "AWS"
    rule_name     = "AWSManagedRulesAnonymousIpList"
    exceptions    = ["HostingProviderIPList"]
    mode          = "block"
  },
  {
    provider_name = "AWS"
    rule_name     = "AWSManagedRulesAmazonIpReputationList"
    exceptions    = []
    mode          = "block"
  }
]

-----------------------------------------------------------------------------------------------------------------------------

variable "environment" {
  description = "The name of the environment"
  type        = string
}

variable "scope" {
  description = "The name of resource CLOUDFRONT/REGIONAL only options (if regional declare in tf vars file)"
  type        = string
  default     = "CLOUDFRONT"
}

variable "managed_rules" {
  description = "the managed rules name in order (make sure not to cross 1500 wcu's)"
  type = list(object({
    provider_name = string
    rule_name     = string
    exceptions    = list(string)
    mode          = string
  }))
}
Posted by at No comments:
Subscribe to: Posts (Atom)