Monday, 9 May 2022

Waf-v2 as resource

resource "aws_wafv2_web_acl" "web_acl_rules" {
  name        = var.web_acl_name
  description = var.web_acl_name
  scope       = var.scope

  tags = {
    product-name = "common"
  }

  default_action {
    allow {
    }
  }

  visibility_config {
    cloudwatch_metrics_enabled = true
    metric_name                = var.web_acl_name
    sampled_requests_enabled   = true
  }

  dynamic "rule" {
    for_each = var.managed_rules
    content {
      name     = "${var.web_acl_name}-${rule.value.rule_name}"
      priority = rule.key

      override_action {
        dynamic "none" {
          for_each = rule.value.mode == "block" ? [1] : []
          content {}
        }
        dynamic "count" {
          for_each = rule.value.mode == "count" ? [1] : []
          content {}
        }
      }

      statement {
        managed_rule_group_statement {
          name        = rule.value.rule_name
          vendor_name = rule.value.provider_name
          dynamic "excluded_rule" {
            for_each = rule.value.exceptions
            content {
              name = excluded_rule.value
            }
          }
        }
      }

      visibility_config {
        cloudwatch_metrics_enabled = true
        metric_name                = "${var.web_acl_name}-${rule.value.rule_name}"
        sampled_requests_enabled   = true
      }
    }
  }
}

-----------------------------------------------------------------------------------------------------------------------------

scope = "REGIONAL"

managed_rules = [
  {
    provider_name = "F5"
    rule_name     = "OWASP_Managed"
    exceptions    = ["rule_XML_External_Entity__XXE__injection_attempt__Content__AllQueryArguments_Body"]
    mode          = "allow"
  },
  {
    provider_name = "AWS"
    rule_name     = "AWSManagedRulesAnonymousIpList"
    exceptions    = ["HostingProviderIPList"]
    mode          = "block"
  },
  {
    provider_name = "AWS"
    rule_name     = "AWSManagedRulesAmazonIpReputationList"
    exceptions    = []
    mode          = "block"
  }
]

-----------------------------------------------------------------------------------------------------------------------------

variable "environment" {
  description = "The name of the environment"
  type        = string
}

variable "scope" {
  description = "The name of resource CLOUDFRONT/REGIONAL only options (if regional declare in tf vars file)"
  type        = string
  default     = "CLOUDFRONT"
}

variable "managed_rules" {
  description = "the managed rules name in order (make sure not to cross 1500 wcu's)"
  type = list(object({
    provider_name = string
    rule_name     = string
    exceptions    = list(string)
    mode          = string
  }))
}