feat: add waf acl rules using MP module

ministryofjustice · Oct 9, 2024 · 119682a · 119682a
1 parent ab2bd44
commit 119682a
Showing 1 changed file with 115 additions and 57 deletions.
diff --git a/terraform/environments/delius-jitbit/waf.tf b/terraform/environments/delius-jitbit/waf.tf
@@ -1,67 +1,125 @@
-resource "aws_wafv2_web_acl" "this" {
-  name        = "${local.application_name}-acl"
-  description = "Web ACL for ${local.application_name}"
-  scope       = "REGIONAL"
-  default_action {
-    allow {}
+# resource "aws_wafv2_web_acl" "this" {
+#   name        = "${local.application_name}-acl"
+#   description = "Web ACL for ${local.application_name}"
+#   scope       = "REGIONAL"
+#   default_action {
+#     allow {}
+#   }
+#   rule {
+#     name     = "AWSManagedRulesCommonRuleSet"
+#     priority = 0
+#     override_action {
+#       # Dont do anything but count requests that match the rules in the ruleset
+#       count {}
+#     }
+#     statement {
+#       managed_rule_group_statement {
+#         name        = "AWSManagedRulesCommonRuleSet"
+#         vendor_name = "AWS"
+#       }
+#     }
+#     visibility_config {
+#       cloudwatch_metrics_enabled = true
+#       metric_name                = "${local.application_name}-common-ruleset"
+#       sampled_requests_enabled   = true
+#     }
+#   }
+#   rule {
+#     name     = "AWSManagedRulesSQLiRuleSet"
+#     priority = 1
+#     override_action {
+#       # Dont do anything but count requests that match the rules in the ruleset
+#       count {}
+#     }
+#     statement {
+#       managed_rule_group_statement {
+#         name        = "AWSManagedRulesSQLiRuleSet"
+#         vendor_name = "AWS"
+#       }
+#     }
+#     visibility_config {
+#       cloudwatch_metrics_enabled = true
+#       metric_name                = "${local.application_name}-SQLi-ruleset"
+#       sampled_requests_enabled   = true
+#     }
+#   }
+
+#   tags = local.tags
+#   visibility_config {
+#     cloudwatch_metrics_enabled = true
+#     metric_name                = "${local.application_name}-waf-metrics"
+#     sampled_requests_enabled   = true
+#   }
+# }
+# resource "aws_wafv2_web_acl_association" "this" {
+#   resource_arn = aws_lb.external.arn
+#   web_acl_arn  = aws_wafv2_web_acl.this.arn
+# }
+
+# resource "aws_cloudwatch_log_group" "waf" {
+#   name              = "aws-waf-logs-${local.application_name}"
+#   retention_in_days = 60
+#   tags              = local.tags
+# }
+# resource "aws_wafv2_web_acl_logging_configuration" "waf" {
+#   log_destination_configs = [aws_cloudwatch_log_group.waf.arn]
+#   resource_arn            = aws_wafv2_web_acl.this.arn
+# }
+
+module "shield" {
+  source = "../../modules/shield_advanced"
+
+  providers = {
+    aws.modernisation-platform = aws.modernisation-platform
   }
-  rule {
-    name     = "AWSManagedRulesCommonRuleSet"
-    priority = 0
-    override_action {
-      # Dont do anything but count requests that match the rules in the ruleset
-      count {}
-    }
-    statement {
-      managed_rule_group_statement {
-        name        = "AWSManagedRulesCommonRuleSet"
-        vendor_name = "AWS"
-      }
-    }
-    visibility_config {
-      cloudwatch_metrics_enabled = true
-      metric_name                = "${local.application_name}-common-ruleset"
-      sampled_requests_enabled   = true
+
+  application_name = local.application_name
+
+  resources = {
+    alb = {
+      arn = aws_lb.external.arn
     }
   }
-  rule {
-    name     = "AWSManagedRulesSQLiRuleSet"
-    priority = 1
-    override_action {
-      # Dont do anything but count requests that match the rules in the ruleset
-      count {}
-    }
-    statement {
-      managed_rule_group_statement {
-        name        = "AWSManagedRulesSQLiRuleSet"
-        vendor_name = "AWS"
+
+  waf_acl_rules = {
+    AWSManagedRulesCommonRuleSet = {
+      "action" = "count"
+      "name"   = "AWSManagedRulesCommonRuleSet"
+      "priority" = 0
+      "threshold" = 1000
+      "statement" = {
+        "managed_rule_group_statement" = {
+          "name"        = "AWSManagedRulesCommonRuleSet"
+          "vendor_name" = "AWS"
+        }
+      }
+      "visibility_config" = {
+        "cloudwatch_metrics_enabled" = true
+        "metric_name"                = "${local.application_name}-common-ruleset"
+        "sampled_requests_enabled"   = true
       }
     }
-    visibility_config {
-      cloudwatch_metrics_enabled = true
-      metric_name                = "${local.application_name}-SQLi-ruleset"
-      sampled_requests_enabled   = true
+    AWSManagedRulesSQLiRuleSet = {
+      "action" = "count"
+      "name"   = "AWSManagedRulesSQLiRuleSet"
+      "priority" = 1
+      "threshold" = 1000
+      "statement" = {
+        "managed_rule_group_statement" = {
+          "name"        = "AWSManagedRulesSQLiRuleSet"
+          "vendor_name" = "AWS"
+        }
+      }
+      "visibility_config" = {
+        "cloudwatch_metrics_enabled" = true
+        "metric_name"                = "${local.application_name}-SQLi-ruleset"
+        "sampled_requests_enabled"   = true
+      }
     }
   }
 
-  tags = local.tags
-  visibility_config {
-    cloudwatch_metrics_enabled = true
-    metric_name                = "${local.application_name}-waf-metrics"
-    sampled_requests_enabled   = true
-  }
-}
-resource "aws_wafv2_web_acl_association" "this" {
-  resource_arn = aws_lb.external.arn
-  web_acl_arn  = aws_wafv2_web_acl.this.arn
-}
-
-resource "aws_cloudwatch_log_group" "waf" {
-  name              = "aws-waf-logs-${local.application_name}"
-  retention_in_days = 60
-  tags              = local.tags
 }
-resource "aws_wafv2_web_acl_logging_configuration" "waf" {
-  log_destination_configs = [aws_cloudwatch_log_group.waf.arn]
-  resource_arn            = aws_wafv2_web_acl.this.arn
+import {
+  id = "fac07abe-ec5c-41fc-a7f2-1bed635de5ed/FMManagedWebACLV2-shield_advanced_auto_remediate-1669984014331/REGIONAL"
+  to = module.shield.aws_wafv2_web_acl.main
 }