AWS WAF Security Automation - modular with Terraform
This provides a modular way to deploy the WAF Reference Architecture (see bellow for image) The key things about this (and comparison with the official Amazon Cloud Formation) are:
- It is ridiculously fast - 6-8x faster than Amazon's Cloud Formation method
- It provides roll-back, undo, recovery, and clean delete abilities - all automatically
- It is modular (with Terraform)! This is extremely important. Any component can be replaced, extended, or integrated with something else. You can very easily re-purpose all of this (or any part) for a different AWS Automation project/purpose.
Getting Started is very simple
First: Edit "amazon-cred-file.tf", and point to your AWS cred file.
Then, for each project/customer's CDN S3 bucket, run:
% ./waf --help Usage: ./waf <customer> <s3-logs-bucket> <command> <command> Options: create = create a new WAF setup for <customer> delete = delete a given <customer> WAF setup Example: ./waf cerbo s3-bucket-name create Example: ./waf customer01 s3-bucket-name delete
WAF Reference Architecture:
Documentation on WAF Security Automation:
Amazon WAF 4 Steps to customization:
Amazon's WAF Security Lambdas (latest via GitHub):
Cloud Formation for WAF Reference Architecture:
- The Cloud Formation "way" has many problems, one of which is that it's a single shot "all or nothing" approach.
- It is ridiculously slow.
- This is mostly to compare to our automated deployment, and make sure everything is the same https://console.aws.amazon.com/cloudformation/designer/home?region=us-east-1&templateUrl=https://s3.amazonaws.com/solutions-reference/aws-waf-security-automations/latest/aws-waf-security-automations.template
Copyright 2016 Cerbo.IO, LLC. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.