Skip to content
This repository has been archived by the owner on Mar 23, 2022. It is now read-only.

Latest commit

 

History

History

waf

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
acl
acl
 
 
example
example
 
 
policy
policy
 
 
README.md
README.md
 
 

README.md

WAF

Neste módulo são criados os aws_fms_policy e configuração do firehose para logs em cada região previamente definida.

Por padrão, as policies criarão uma instãncia de WebAcl, que serão associadas a todos os recursos web das contas. Caso haja algum recurso que precise excluir esta associação automática, basta cria-lo com suas devidas tags de exclusão: "fms_waf_acl_exclude_NOME_POLICY = true". Também é possível fazer com que a regra só associe o recurso caso ele tenha a tag "fms_waf_acl_include_NOME_POLICY = true", este comportamento é controlado pelo input exclude_resource_tags.

Módulo policy

Responsável por criar um FMS Policy do tipo WAFV2, onde podemos definir quais managed rules e custom rules serão aplicadas em quais contas AWS da organização.

Requirements

Name Version
terraform >= 0.13
aws 3.37.0

Submodules

Name Source
policy_af-south-1 ./submodule
policy_ap-east-1 ./submodule
policy_ap-northeast-1 ./submodule
policy_ap-northeast-2 ./submodule
policy_ap-northeast-3 ./submodule
policy_ap-south-1 ./submodule
policy_ap-southeast-1 ./submodule
policy_ap-southeast-2 ./submodule
policy_ca-central-1 ./submodule
policy_eu-central-1 ./submodule
policy_eu-north-1 ./submodule
policy_eu-south-1 ./submodule
policy_eu-west-1 ./submodule
policy_eu-west-2 ./submodule
policy_eu-west-3 ./submodule
policy_global ./submodule
policy_me-south-1 ./submodule
policy_us-east-1 ./submodule
policy_us-east-2 ./submodule

Submodule Resources

Name Type
aws_fms_policy.policy resource
aws_iam_policy.firehose-role-policy resource
aws_iam_role.firehose-role resource
aws_iam_role_policy_attachment.firehose_role_attachment resource
aws_kinesis_firehose_delivery_stream.firehose resource
aws_caller_identity.current data source
aws_region.current data source
external_external.rules data source

Submodule Inputs

Name Description Type Default Required
scope CLOUDFRONT or REGIONAL string n/a yes

Inputs

Name Description Type Default Required
accounts Accounts that the policy will be applied list(string) n/a yes
regions Regions to apply this policy list(string) n/a yes
exclude_resource_tags The strategy about tags, if it's true, the defined tags on var resource_tags will be used to exclude resources. bool true no
logging_bucket_arn Bucket to store logs string n/a yes
managed_rules List of managed rules list [] no
policy_name The policy name string n/a yes
resource_tags The tags that will be used to exclude ou include resources. list [] no
rule_groups Map of custom rules by region map {} no

Usage

module "policy" {
  source = "github.com/Hotmart-Org/terraform-modules-aws-fms/waf/policy"

  policy_name = "NOME_POLICY"
  accounts    = [
    "ID_DA_CONTA_ONDE_ESSA_POLICY_SERÁ_ATIVADA"
  ]

  firehose_logging_arn = module.waf.firehose_logging_arn

  managed_rules = [
    {
      vendorName           = "AWS",
      managedRuleGroupName = "AWSManagedRulesAmazonIpReputationList",
    },
    {
      vendorName           = "AWS",
      managedRuleGroupName = "AWSManagedRulesCommonRuleSet",
      action               = "COUNT"
    }
    ...
  ]
}

Example

Módulo acl

Responsável por customizar um waf web acl (v2) em cada conta, para, por exemplo, inclusão de regra de rate-limit (atualmente só funciona individualmente, por conta, na policy não tem como definir).

Requirements

Name Version
terraform >= 0.13
aws 3.37.0

Submodule

Name Source
acl_af-south-1 ./submodule
acl_ap-east-1 ./submodule
acl_ap-northeast-1 ./submodule
acl_ap-northeast-2 ./submodule
acl_ap-northeast-3 ./submodule
acl_ap-south-1 ./submodule
acl_ap-southeast-1 ./submodule
acl_ap-southeast-2 ./submodule
acl_ca-central-1 ./submodule
acl_eu-central-1 ./submodule
acl_eu-north-1 ./submodule
acl_eu-south-1 ./submodule
acl_eu-west-1 ./submodule
acl_eu-west-2 ./submodule
acl_eu-west-3 ./submodule
acl_global ./submodule
acl_me-south-1 ./submodule
acl_sa-east-1 ./submodule
acl_us-east-1 ./submodule
acl_us-east-2 ./submodule

Submodule Resources

Name Type
aws_wafv2_web_acl.acl resource
aws_region.current data source
external_external.name data source

Submodule Inputs

Name Description Type Default Required
scope CLOUDFRONT or REGIONAL any n/a yes

Inputs

Name Description Type Default Required
custom_rule_group_arn n/a map null no
managed_rules n/a list [] no
name n/a string n/a yes
rate_limit n/a number 0 no
rate_limit_action n/a string "block" no
regions Regions to apply this policy list n/a yes

Usage

module "acl" {
  source = "github.com/Hotmart-Org/terraform-modules-aws-fms/waf/acl"
  name   = "NOME_POLICY"

  rate_limit        = 2000
  rate_limit_action = "count | block" # default is block

  custom_rule_group_arn = {
    global = "ARN RULE GROUP SCOPE CLOUDFRONT"
    us-east-1 = "ARN RULE GROUP SCOPE REGIONAL us-east-1"
  }

  managed_rules = [
    {
      vendorName           = "AWS",
      managedRuleGroupName = "AWSManagedRulesAmazonIpReputationList",
    },
    {
      vendorName           = "AWS",
      managedRuleGroupName = "AWSManagedRulesCommonRuleSet",
      action               = "COUNT"
    }
    ...
  ]
}

Obs.: este módulo, antes de aplicado em produção, precisa ser importado, pois o Web ACL é criado pelo FMS e a ideia é customizar o que foi criado, então precisa importar o state para depois aplicar, se isso não for feito o pipeline vai quebrar. Para isso, seguir os seguintes passos:

  1. Ativar a policy na conta desejada

  2. Preparar código para aplicar na conta alvo, utilizando o módulo descrito acima

  3. Recuperar o id e name do Web ACL criado pelo FMS lá na conta alvo e imporar para o state, utilizando estes comandos:

terraform init

acl_name=NOME_POLICY

# escopo CLOUDFRONT
acl=$(aws wafv2 list-web-acls --scope CLOUDFRONT --region us-east-1 --query "WebACLs[?contains(Name, '$acl_name')]" | jq -r '.[]')
terraform import module.waf.module.acl_global.aws_wafv2_web_acl.acl $(echo $acl | jq -r '.Id')/$(echo $acl | jq -r '.Name')/CLOUDFRONT

# escopo REGIONAL, região de virginia
region=us-east-1
acl=$(aws wafv2 list-web-acls --scope REGIONAL --region $region --query "WebACLs[?contains(Name, '$acl_name')]" | jq -r '.[]')
terraform import module.waf.module.acl_$region.aws_wafv2_web_acl.acl $(echo $acl | jq -r '.Id')/$(echo $acl | jq -r '.Name')/REGIONAL

terraform apply
  1. Aplicar sua alteração.

Example