Skip to content

Commit

Permalink
add waf
Browse files Browse the repository at this point in the history
  • Loading branch information
HK authored and HK committed Oct 12, 2023
1 parent fe5c7cd commit ec4e59a
Showing 1 changed file with 210 additions and 0 deletions.
210 changes: 210 additions & 0 deletions infra/modules/service/waf.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,210 @@
resource "aws_wafv2_web_acl" "waf" {
name = "wafv2-web-acl"
scope = "REGIONAL"

default_action {
allow {
}
}

visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "WAF_Common_Protections"
sampled_requests_enabled = true
}

rule {
name = "AWS-AWSManagedRulesCommonRuleSet"
priority = 0
override_action {
none {
}
}
statement {
managed_rule_group_statement {
name = "AWSManagedRulesCommonRuleSet"
vendor_name = "AWS"

rule_action_override {
action_to_use {
allow {}
}

name = "SizeRestrictions_BODY"
}

rule_action_override {
action_to_use {
allow {}
}

name = "NoUserAgent_HEADER"
}
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "AWS-AWSManagedRulesCommonRuleSet"
sampled_requests_enabled = true
}
}

rule {
name = "AWS-AWSManagedRulesLinuxRuleSet"
priority = 1
override_action {
none {
}
}
statement {
managed_rule_group_statement {
name = "AWSManagedRulesLinuxRuleSet"
vendor_name = "AWS"
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "AWS-AWSManagedRulesLinuxRuleSet"
sampled_requests_enabled = true
}
}

rule {
name = "AWS-AWSManagedRulesAmazonIpReputationList"
priority = 2
override_action {
none {
}
}
statement {
managed_rule_group_statement {
name = "AWSManagedRulesAmazonIpReputationList"
vendor_name = "AWS"
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "AWS-AWSManagedRulesAmazonIpReputationList"
sampled_requests_enabled = true
}
}

rule {
name = "AWS-AWSManagedRulesAnonymousIpList"
priority = 3
override_action {
none {
}
}
statement {
managed_rule_group_statement {
name = "AWSManagedRulesAnonymousIpList"
vendor_name = "AWS"

rule_action_override {
action_to_use {
allow {}
}

name = "HostingProviderIPList"
}
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "AWS-AWSManagedRulesAnonymousIpList"
sampled_requests_enabled = true
}
}

rule {
name = "AWS-AWSManagedRulesKnownBadInputsRuleSet"
priority = 4
override_action {
none {
}
}
statement {
managed_rule_group_statement {
name = "AWSManagedRulesKnownBadInputsRuleSet"
vendor_name = "AWS"
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "AWS-AWSManagedRulesKnownBadInputsRuleSet"
sampled_requests_enabled = true
}
}

rule {
name = "AWS-AWSManagedRulesUnixRuleSet"
priority = 5
override_action {
none {
}
}
statement {
managed_rule_group_statement {
name = "AWSManagedRulesUnixRuleSet"
vendor_name = "AWS"
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "AWS-AWSManagedRulesUnixRuleSet"
sampled_requests_enabled = true
}
}

rule {
name = "AWS-AWSManagedRulesWindowsRuleSet"
priority = 6
override_action {
none {
}
}
statement {
managed_rule_group_statement {
name = "AWSManagedRulesWindowsRuleSet"
vendor_name = "AWS"
rule_action_override {
action_to_use {
allow {}
}

name = "WindowsShellCommands_BODY"
}
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "AWS-AWSManagedRulesWindowsRuleSet"
sampled_requests_enabled = true
}
}

}

resource "aws_cloudwatch_log_group" "WafWebAclLoggroup" {
name = "aws-waf-logs-wafv2-web-acl"
retention_in_days = 30
}

resource "aws_wafv2_web_acl_logging_configuration" "WafWebAclLogging" {
log_destination_configs = [aws_cloudwatch_log_group.WafWebAclLoggroup.arn]
resource_arn = aws_wafv2_web_acl.WafWebAcl.arn
depends_on = [
aws_wafv2_web_acl.WafWebAcl,
aws_cloudwatch_log_group.WafWebAclLoggroup
]
}

resource "aws_wafv2_web_acl_association" "WafWebAclAssociation" {
resource_arn = aws_lb.alb.arn
web_acl_arn = aws_wafv2_web_acl.WafWebAcl.arn
depends_on = [
aws_wafv2_web_acl.WafWebAcl,
aws_cloudwatch_log_group.WafWebAclLoggroup
]
}

0 comments on commit ec4e59a

Please sign in to comment.