Merge pull request #4044 from ministryofjustice/LAWS-3533-apex-waf

LAWS-3533: added waf ip set, waf rules and web acl
ministryofjustice · Nov 21, 2023 · b0ad419 · b0ad419
2 parents 7ebd867 + aabc03a
commit b0ad419
Show file tree

Hide file tree

Showing 2 changed files with 260 additions and 0 deletions.
diff --git a/terraform/environments/apex/aws_waf_ipset.txt b/terraform/environments/apex/aws_waf_ipset.txt
@@ -0,0 +1,164 @@
+81.134.202.29/32
+54.240.197.225/32
+157.203.176.138/32
+157.203.176.139/32
+157.203.176.140/32
+157.203.177.190/32
+157.203.177.191/32
+157.203.177.192/32
+62.25.109.0/24
+81.134.202.29/32
+85.115.52.0/24
+85.115.53.0/24
+85.115.54.0/24
+213.121.161.0/24
+195.59.75.0/24
+194.33.192.0/24
+194.33.193.0/24
+194.33.196.0/24
+194.33.197.0/24
+35.177.125.252/32
+35.177.137.160/32
+13.55.255.216/32
+13.55.255.217/32
+13.55.255.218/32
+13.55.255.219/32
+13.55.255.220/32
+13.55.255.221/32
+13.55.255.222/32
+13.55.255.223/32
+13.56.32.200/32
+13.56.32.201/32
+13.56.32.202/32
+13.56.32.203/32
+13.56.32.204/32
+13.56.32.205/32
+13.56.32.206/32
+13.56.32.207/32
+13.112.191.184/32
+13.112.191.185/32
+13.112.191.186/32
+13.112.191.187/32
+13.112.191.188/32
+13.112.191.189/32
+13.112.191.190/32
+13.112.191.191/32
+13.124.145.16/32
+13.124.145.17/32
+13.124.145.18/32
+13.124.145.19/32
+13.124.145.20/32
+13.124.145.21/32
+13.124.145.22/32
+13.124.145.23/32
+13.127.70.136/32
+13.127.70.137/32
+13.127.70.138/32
+13.127.70.139/32
+13.127.70.140/32
+13.127.70.141/32
+13.127.70.142/32
+13.127.70.143/32
+18.231.194.8/32
+18.231.194.9/32
+18.231.194.10/32
+18.231.194.11/32
+18.231.194.12/32
+18.231.194.13/32
+18.231.194.14/32
+18.231.194.15/32
+34.228.4.208/32
+34.228.4.209/32
+34.228.4.210/32
+34.228.4.211/32
+34.228.4.212/32
+34.228.4.213/32
+34.228.4.214/32
+34.228.4.215/32
+34.228.4.216/32
+34.228.4.217/32
+34.228.4.218/32
+34.228.4.219/32
+34.228.4.220/32
+34.228.4.221/32
+34.228.4.222/32
+34.228.4.223/32
+34.250.63.248/32
+34.250.63.249/32
+34.250.63.250/32
+34.250.63.251/32
+34.250.63.252/32
+34.250.63.253/32
+34.250.63.254/32
+34.250.63.255/32
+35.157.127.248/32
+35.157.127.249/32
+35.157.127.250/32
+35.157.127.251/32
+35.157.127.252/32
+35.157.127.253/32
+35.157.127.254/32
+35.157.127.255/32
+35.176.92.32/32
+35.176.92.33/32
+35.176.92.34/32
+35.176.92.35/32
+35.176.92.36/32
+35.176.92.37/32
+35.176.92.38/32
+35.176.92.39/32
+35.182.14.48/32
+35.182.14.49/32
+35.182.14.50/32
+35.182.14.51/32
+35.182.14.52/32
+35.182.14.53/32
+35.182.14.54/32
+35.182.14.55/32
+52.15.247.208/32
+52.15.247.209/32
+52.15.247.210/32
+52.15.247.211/32
+52.15.247.212/32
+52.15.247.213/32
+52.15.247.214/32
+52.15.247.215/32
+52.43.76.88/32
+52.43.76.89/32
+52.43.76.90/32
+52.43.76.91/32
+52.43.76.92/32
+52.43.76.93/32
+52.43.76.94/32
+52.43.76.95/32
+52.47.73.72/32
+52.47.73.73/32
+52.47.73.74/32
+52.47.73.75/32
+52.47.73.76/32
+52.47.73.77/32
+52.47.73.78/32
+52.47.73.79/32
+52.221.221.128/32
+52.221.221.129/32
+52.221.221.130/32
+52.221.221.131/32
+52.221.221.132/32
+52.221.221.133/32
+52.221.221.134/32
+52.221.221.135/32
+177.71.207.16/32
+177.71.207.17/32
+177.71.207.18/32
+177.71.207.19/32
+177.71.207.20/32
+177.71.207.21/32
+177.71.207.22/32
+177.71.207.23/32
+51.149.250.0/24
+51.149.249.0/29
+194.33.249.0/29
+51.149.249.32/29
+194.33.248.0/29
+20.49.214.199/32
+20.49.214.228/32
diff --git a/terraform/environments/apex/waf.tf b/terraform/environments/apex/waf.tf
@@ -0,0 +1,96 @@
+# resource "aws_waf_ipset" "wafmanualallowset" {
+#   name     = "${upper(local.application_name)} Manual Allow Set"
+#   # description        = ""
+#   # scope              = "CLOUDFRONT"
+#   provider           = aws.us-east-1
+#   # ip_address_version = "IPV4"
+#   addresses          = [for ip in split("\n", chomp(file("${path}/aws_waf_ipset.txt"))) : ip]
+# }
+
+locals {
+ip_set_list   = [for ip in split("\n", chomp(file("${path.module}/aws_waf_ipset.txt"))) : ip]
+}
+
+resource "aws_waf_ipset" "wafmanualallowset" {
+  name     = "${upper(local.application_name)} Manual Allow Set"
+
+  # Ranges from https://github.com/ministryofjustice/laa-apex/blob/master/aws/application/application_stack.template
+  # removed redundant ip addresses such as RedCentric access and AWS Holborn offices
+
+  dynamic "ip_set_descriptors" {
+    for_each = local.ip_set_list
+    content {
+      type  = "IPV4"
+      value = ip_set_descriptors.value
+    }
+  }
+}
+
+resource "aws_waf_ipset" "wafmanualblockset" {
+  name     = "${upper(local.application_name)} Manual Block Set"
+}
+
+resource "aws_waf_rule" "wafmanualallowrule" {
+  depends_on  = [aws_waf_ipset.wafmanualallowset]
+  name     = "${upper(local.application_name)} Manual Allow Rule"
+  metric_name = "${upper(local.application_name)}ManualAllowRule"
+
+  predicates {
+    data_id = aws_waf_ipset.wafmanualallowset.id
+    negated = false
+    type    = "IPMatch"
+  }
+}
+
+resource "aws_waf_rule" "wafmanualblockrule" {
+  depends_on  = [aws_waf_ipset.wafmanualblockset]
+  name     = "${upper(local.application_name)} Manual Block Rule"
+  metric_name = "${upper(local.application_name)}ManualBlockRule"
+
+  predicates {
+    data_id = aws_waf_ipset.wafmanualblockset.id
+    negated = false
+    type    = "IPMatch"
+  }
+}
+
+resource "aws_waf_web_acl" "waf_acl" {
+  depends_on = [
+    aws_waf_rule.wafmanualallowrule,
+    aws_waf_rule.wafmanualblockrule,
+  ]
+  name     = "${upper(local.application_name)} Whitelisting Requesters"
+  metric_name = "${upper(local.application_name)}WhitelistingRequesters"
+#   scope    = "CLOUDFRONT"
+#   provider = aws.us-east-1
+default_action {
+    type = "BLOCK"
+  }
+
+rules {
+    action {
+      type = "ALLOW"
+    }
+    priority = 1
+    rule_id  = aws_waf_rule.wafmanualallowrule.id
+    type     = "REGULAR"
+  }
+
+rules {
+    action {
+      type = "BLOCK"
+    }
+    priority = 2
+    rule_id  = aws_waf_rule.wafmanualblockrule.id
+    type     = "REGULAR"
+  }
+}
+
+
+
+
+
+
+
+
+