/
waf.tf
92 lines (74 loc) · 1.67 KB
/
waf.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
resource "aws_wafregional_ipset" "nat" {
name = "natIPSet"
ip_set_descriptor {
type = "IPV4"
value = var.waf_nat_ip
}
}
resource "aws_wafregional_ipset" "whitelist" {
name = "whitelistIPSet"
ip_set_descriptor {
type = "IPV4"
value = var.waf_whitelisted_ip
}
}
resource "aws_wafregional_ipset" "blacklist" {
name = "blacklistIPSet"
ip_set_descriptor {
type = "IPV4"
value = var.waf_blacklisted_ip
}
}
resource "aws_wafregional_rate_based_rule" "rate" {
depends_on = [aws_wafregional_ipset.nat, aws_wafregional_ipset.whitelist]
name = "natWAFRule"
metric_name = "natWAFRule"
rate_key = "IP"
rate_limit = 3000
predicate {
data_id = aws_wafregional_ipset.nat.id
negated = true
type = "IPMatch"
}
predicate {
data_id = aws_wafregional_ipset.whitelist.id
negated = true
type = "IPMatch"
}
}
resource "aws_wafregional_rule" "block" {
name = "blockWAFRule"
metric_name = "blockWAFRule"
predicate {
type = "IPMatch"
data_id = aws_wafregional_ipset.blacklist.id
negated = false
}
}
resource "aws_wafregional_web_acl" "default" {
name = "default"
metric_name = "default"
default_action {
type = "ALLOW"
}
rule {
action {
type = "BLOCK"
}
priority = 1
rule_id = aws_wafregional_rate_based_rule.rate.id
type = "RATE_BASED"
}
rule {
action {
type = "BLOCK"
}
priority = 2
rule_id = aws_wafregional_rule.block.id
type = "REGULAR"
}
}
resource "aws_wafregional_web_acl_association" "default" {
resource_arn = data.aws_lb.default.arn
web_acl_id = aws_wafregional_web_acl.default.id
}