Skip to content

Commit

Permalink
BBL-140 WAF Global module upgrade to tf-012 support + somo minor enha…
Browse files Browse the repository at this point in the history 
…ncements.
  • Loading branch information
@exequielrafaela
exequielrafaela committed Oct 31, 2019
1 parent fad3797 commit 53c5ec2
Show file tree
Hide file tree
Showing 14 changed files with 153 additions and 66 deletions.
65 changes: 33 additions & 32 deletions modules/waf-global/main.tf
View file
Expand Up @@ -3,7 +3,7 @@
#
resource "aws_waf_web_acl" "waf_acl" {
name = "${var.waf_prefix}-generic-owasp-acl"
metric_name = "${var.waf_prefix}genericowaspacl"
metric_name = replace("${var.waf_prefix}genericowaspacl", "/[^0-9A-Za-z]/", "")

default_action {
type = "ALLOW"
Expand All @@ -15,11 +15,11 @@ resource "aws_waf_web_acl" "waf_acl" {
#
rules {
action {
type = "${var.rule_size_restriction_action_type}"
type = var.rule_size_restriction_action_type
}

priority = 10
rule_id = "${aws_waf_rule.restrict_sizes.id}"
rule_id = aws_waf_rule.restrict_sizes.id
type = "REGULAR"
}

Expand All @@ -29,54 +29,53 @@ resource "aws_waf_web_acl" "waf_acl" {
#
rules {
action {
type = "${var.rule_blacklisted_ips_action_type}"
type = var.rule_blacklisted_ips_action_type
}

priority = 20
rule_id = "${aws_waf_rule.detect_blacklisted_ips.id}"
rule_id = aws_waf_rule.detect_blacklisted_ips.id
type = "REGULAR"
}


#
# Reason: the apps do not use auth tokens yet.
# So COMMENT rule block below to deactivate this rule
#
rules {
action {
type = "${var.rule_auth_tokens_action}"
type = var.rule_auth_tokens_action
}

priority = 30
rule_id = "${aws_waf_rule.detect_bad_auth_tokens.id}"
rule_id = aws_waf_rule.detect_bad_auth_tokens.id
type = "REGULAR"
}

rules {
action {
type = "${var.rule_sqli_action}"
type = var.rule_sqli_action
}

priority = 40
rule_id = "${aws_waf_rule.mitigate_sqli.id}"
rule_id = aws_waf_rule.mitigate_sqli.id
type = "REGULAR"
}
rules {
action {
type = "${var.rule_xss_action}"
type = var.rule_xss_action
}

priority = 50
rule_id = "${aws_waf_rule.mitigate_xss.id}"
rule_id = aws_waf_rule.mitigate_xss.id
type = "REGULAR"
}
rules {
action {
type = "${var.rule_lfi_rfi_action}"
type = var.rule_lfi_rfi_action
}

priority = 60
rule_id = "${aws_waf_rule.detect_rfi_lfi_traversal.id}"
rule_id = aws_waf_rule.detect_rfi_lfi_traversal.id
type = "REGULAR"
}

Expand All @@ -86,26 +85,25 @@ resource "aws_waf_web_acl" "waf_acl" {
#
rules {
action {
type = "${var.rule_php_insecurities_action_type}"
type = var.rule_php_insecurities_action_type
}

priority = 70
rule_id = "${aws_waf_rule.detect_php_insecure.id}"
rule_id = aws_waf_rule.detect_php_insecure.id
type = "REGULAR"
}


#
# Reason: the apps do not use CSRF tokens.
# So COMMENT rule block below to deactivate this rule
#
rules {
action {
type = "${var.rule_csrf_action_type}"
type = var.rule_csrf_action_type
}

priority = 80
rule_id = "${aws_waf_rule.enforce_csrf.id}"
rule_id = aws_waf_rule.enforce_csrf.id
type = "REGULAR"
}

Expand All @@ -114,11 +112,11 @@ resource "aws_waf_web_acl" "waf_acl" {
#
rules {
action {
type = "${var.rule_ssi_action_type}"
type = var.rule_ssi_action_type
}

priority = 90
rule_id = "${aws_waf_rule.detect_ssi.id}"
rule_id = aws_waf_rule.detect_ssi.id
type = "REGULAR"
}

Expand All @@ -128,21 +126,24 @@ resource "aws_waf_web_acl" "waf_acl" {
#
rules {
action {
type = "${var.rule_admin_access_action_type}"
type = var.rule_admin_access_action_type
}

priority = 100
rule_id = "${aws_waf_rule.detect_admin_access.id}"
rule_id = aws_waf_rule.detect_admin_access.id
type = "REGULAR"
}

tags = "${var.tags}"
}

#
# This is how we link the WAF ACL to one or many CloudFront distributions.
#
resource "aws_wafregional_web_acl_association" "acl_cloudfront_association" {
depends_on = ["aws_waf_web_acl.waf_acl"]
count = "${length(var.cloudfront_arn)}"
resource_arn = "${element(var.cloudfront_arn, count.index)}"
web_acl_id = "${aws_waf_web_acl.waf_acl.id}"
depends_on = [aws_waf_web_acl.waf_acl]
count = length(var.cloudfront_arn)
resource_arn = element(var.cloudfront_arn, count.index)
web_acl_id = aws_waf_web_acl.waf_acl.id
}

13 changes: 12 additions & 1 deletion modules/waf-global/outputs.tf
View file
@@ -1,3 +1,14 @@
output "web_acl_id" {
value = "${aws_waf_web_acl.waf_acl.id}"
description = "AWS WAF web acl id."
value = aws_waf_web_acl.waf_acl.id
}

output "web_acl_name" {
description = "The name or description of the web ACL."
value = aws_waf_web_acl.waf_acl.name
}

output "web_acl_metric_name" {
description = "The name or description for the Amazon CloudWatch metric of this web ACL."
value = aws_waf_web_acl.waf_acl.metric_name
}
20 changes: 15 additions & 5 deletions modules/waf-global/variables.tf
View file
Expand Up @@ -3,17 +3,20 @@ variable "waf_prefix" {
}

variable "blacklisted_ips" {
type = "list"
description = "List of IPs to blacklist"
default = []
type = list(string)
description = "List of IPs to blacklist, eg ['1.1.1.1/32', '2.2.2.2/32', '3.3.3.3/32']"
}

variable "admin_remote_ipset" {
type = "list"
description = "List of IPs allowed to access admin pages"
default = []
type = list(string)
description = "List of IPs allowed to access admin pages, ['1.1.1.1/32', '2.2.2.2/32', '3.3.3.3/32']"
}

variable "cloudfront_arn" {
type = "list"
default = []
type = list(string)
description = "List of CloudFront Distributions ARNs"
}

Expand Down Expand Up @@ -66,3 +69,10 @@ variable "rule_blacklisted_ips_action_type" {
default = "COUNT"
description = "Rule action type. Either BLOCK, ALLOW, or COUNT (useful for testing)"
}

variable "tags" {
type = "map"
description = "A mapping of tags to assign to all resources"
default = {}
}

4 changes: 4 additions & 0 deletions modules/waf-global/versions.tf
View file
@@ -0,0 +1,4 @@

terraform {
required_version = ">= 0.12"
}
36 changes: 31 additions & 5 deletions modules/waf-global/waf_ruleset10_blacklisted_ips.tf
View file
Expand Up @@ -5,16 +5,42 @@

resource "aws_waf_rule" "detect_blacklisted_ips" {
name = "${var.waf_prefix}-generic-detect-blacklisted-ips"
metric_name = "${var.waf_prefix}genericdetectblacklistedips"
metric_name = replace("${var.waf_prefix}genericdetectblacklistedips", "/[^0-9A-Za-z]/", "")

predicates {
data_id = "${aws_waf_ipset.blacklisted_ips.id}"
data_id = aws_waf_ipset.blacklisted_ips.id
negated = false
type = "IPMatch"
}
}

resource "aws_waf_ipset" "blacklisted_ips" {
name = "${var.waf_prefix}-generic-match-blacklisted-ips"
ip_set_descriptors = "${var.blacklisted_ips}"
}
name = "${var.waf_prefix}-generic-match-blacklisted-ips"
dynamic "ip_set_descriptors" {
for_each = var.blacklisted_ips
content {
//resource "aws_waf_ipset" "test" {
// name = "test"
//
// dynamic "ip_set_descriptors" {
// # The for_each argument is a hardcoded list in this illustrative example,
// # however it can be sourced from a variable or local value as well as
// # support multiple argument values as a map.
// for_each = ["1.1.1.1/32", "2.2.2.2/32", "3.3.3.3/32"]
//
// content {
// type = "IPV4"
// value = ip_set_descriptors.value
// }
// }
//}
//
//output "test" {
// value = aws_waf_ipset.test.ip_set_descriptors[*].value
//}

type = "IPV4"
value = ip_set_descriptors.value
}
}
}
5 changes: 3 additions & 2 deletions modules/waf-global/waf_ruleset1_sqli.tf
View file
Expand Up @@ -5,10 +5,10 @@

resource "aws_waf_rule" "mitigate_sqli" {
name = "${var.waf_prefix}-generic-mitigate-sqli"
metric_name = "${var.waf_prefix}genericmitigatesqli"
metric_name = replace("${var.waf_prefix}genericmitigatesqli", "/[^0-9A-Za-z]/", "")

predicates {
data_id = "${aws_waf_sql_injection_match_set.sql_injection_match_set.id}"
data_id = aws_waf_sql_injection_match_set.sql_injection_match_set.id
negated = false
type = "SqlInjectionMatch"
}
Expand Down Expand Up @@ -101,3 +101,4 @@ resource "aws_waf_sql_injection_match_set" "sql_injection_match_set" {
}
}
}

5 changes: 3 additions & 2 deletions modules/waf-global/waf_ruleset2_auth_tokens.tf
View file
Expand Up @@ -6,10 +6,10 @@

resource "aws_waf_rule" "detect_bad_auth_tokens" {
name = "${var.waf_prefix}-generic-detect-bad-auth-tokens"
metric_name = "${var.waf_prefix}genericdetectbadauthtokens"
metric_name = replace("${var.waf_prefix}genericdetectbadauthtokens", "/[^0-9A-Za-z]/", "")

predicates {
data_id = "${aws_waf_byte_match_set.match_auth_tokens.id}"
data_id = aws_waf_byte_match_set.match_auth_tokens.id
negated = false
type = "ByteMatch"
}
Expand Down Expand Up @@ -40,3 +40,4 @@ resource "aws_waf_byte_match_set" "match_auth_tokens" {
}
}
}

5 changes: 3 additions & 2 deletions modules/waf-global/waf_ruleset3_xss.tf
View file
Expand Up @@ -5,10 +5,10 @@

resource "aws_waf_rule" "mitigate_xss" {
name = "${var.waf_prefix}-generic-mitigate-xss"
metric_name = "${var.waf_prefix}genericmitigatexss"
metric_name = replace("${var.waf_prefix}genericmitigatexss", "/[^0-9A-Za-z]/", "")

predicates {
data_id = "${aws_waf_xss_match_set.xss_match_set.id}"
data_id = aws_waf_xss_match_set.xss_match_set.id
negated = false
type = "XssMatch"
}
Expand Down Expand Up @@ -83,3 +83,4 @@ resource "aws_waf_xss_match_set" "xss_match_set" {
}
}
}

5 changes: 3 additions & 2 deletions modules/waf-global/waf_ruleset4_lfi_rfi.tf
View file
Expand Up @@ -6,10 +6,10 @@

resource "aws_waf_rule" "detect_rfi_lfi_traversal" {
name = "${var.waf_prefix}-generic-detect-rfi-lfi-traversal"
metric_name = "${var.waf_prefix}genericdetectrfilfitraversal"
metric_name = replace("${var.waf_prefix}genericdetectrfilfitraversal", "/[^0-9A-Za-z]/", "")

predicates {
data_id = "${aws_waf_byte_match_set.match_rfi_lfi_traversal.id}"
data_id = aws_waf_byte_match_set.match_rfi_lfi_traversal.id
negated = false
type = "ByteMatch"
}
Expand Down Expand Up @@ -98,3 +98,4 @@ resource "aws_waf_byte_match_set" "match_rfi_lfi_traversal" {
}
}
}

0 comments on commit 53c5ec2

Please sign in to comment.