This repository has been archived by the owner on Jun 4, 2021. It is now read-only.
/
waf.yml
79 lines (74 loc) · 2.14 KB
/
waf.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
AWSTemplateFormatVersion: 2010-09-09
Description: CloudFormation template for WAF resources
Parameters:
Stage:
Type: String
AllowedValues:
- test
- preprod
- prod
ProductName:
Type: String
Default: fdbt
HeaderName:
Type: String
Default: X-Origin-Verify
Description: Header name for origin secret
Resources:
OriginVerifySecret:
Type: AWS::SecretsManager::Secret
Properties:
GenerateSecretString:
SecretStringTemplate: '{"HEADERVALUE": "RandomPassword"}'
GenerateStringKey: "HEADERVALUE"
ExcludePunctuation: true
RestrictToCloudfrontAccessAcl:
Type: AWS::WAFv2::WebACL
Properties:
Name: !Sub ${ProductName}-waf-restrict-cloudfront-access-${Stage}
Scope: REGIONAL
Description: Restricts access to CloudFront
DefaultAction:
Block: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: RestrictCloudfrontAccessMetric
Rules:
- Name: AllowCloudfrontHeader
Priority: 0
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: AllowCloudfrontHeaderMetric
Action:
Allow: {}
Statement:
ByteMatchStatement:
PositionalConstraint: EXACTLY
FieldToMatch:
SingleHeader:
Name: !Ref HeaderName
SearchString:
!Join [
"",
[
"{{resolve:secretsmanager:",
!Ref OriginVerifySecret,
":SecretString:HEADERVALUE}}",
],
]
TextTransformations:
- Priority: 0
Type: NONE
WafAssociation:
Type: AWS::WAFv2::WebACLAssociation
Properties:
ResourceArn:
Fn::ImportValue: !Sub ${Stage}:LoadbalancerArn
WebACLArn: !GetAtt RestrictToCloudfrontAccessAcl.Arn
Outputs:
OriginVerifySecret:
Value: !Ref OriginVerifySecret
Export:
Name: !Sub ${Stage}:OriginVerifySecret