diff --git a/terraform/environments/apex/aws_waf_ipset.txt b/terraform/environments/apex/aws_waf_ipset.txt new file mode 100644 index 00000000000..08973a42f80 --- /dev/null +++ b/terraform/environments/apex/aws_waf_ipset.txt @@ -0,0 +1,164 @@ +81.134.202.29/32 +54.240.197.225/32 +157.203.176.138/32 +157.203.176.139/32 +157.203.176.140/32 +157.203.177.190/32 +157.203.177.191/32 +157.203.177.192/32 +62.25.109.0/24 +81.134.202.29/32 +85.115.52.0/24 +85.115.53.0/24 +85.115.54.0/24 +213.121.161.0/24 +195.59.75.0/24 +194.33.192.0/24 +194.33.193.0/24 +194.33.196.0/24 +194.33.197.0/24 +35.177.125.252/32 +35.177.137.160/32 +13.55.255.216/32 +13.55.255.217/32 +13.55.255.218/32 +13.55.255.219/32 +13.55.255.220/32 +13.55.255.221/32 +13.55.255.222/32 +13.55.255.223/32 +13.56.32.200/32 +13.56.32.201/32 +13.56.32.202/32 +13.56.32.203/32 +13.56.32.204/32 +13.56.32.205/32 +13.56.32.206/32 +13.56.32.207/32 +13.112.191.184/32 +13.112.191.185/32 +13.112.191.186/32 +13.112.191.187/32 +13.112.191.188/32 +13.112.191.189/32 +13.112.191.190/32 +13.112.191.191/32 +13.124.145.16/32 +13.124.145.17/32 +13.124.145.18/32 +13.124.145.19/32 +13.124.145.20/32 +13.124.145.21/32 +13.124.145.22/32 +13.124.145.23/32 +13.127.70.136/32 +13.127.70.137/32 +13.127.70.138/32 +13.127.70.139/32 +13.127.70.140/32 +13.127.70.141/32 +13.127.70.142/32 +13.127.70.143/32 +18.231.194.8/32 +18.231.194.9/32 +18.231.194.10/32 +18.231.194.11/32 +18.231.194.12/32 +18.231.194.13/32 +18.231.194.14/32 +18.231.194.15/32 +34.228.4.208/32 +34.228.4.209/32 +34.228.4.210/32 +34.228.4.211/32 +34.228.4.212/32 +34.228.4.213/32 +34.228.4.214/32 +34.228.4.215/32 +34.228.4.216/32 +34.228.4.217/32 +34.228.4.218/32 +34.228.4.219/32 +34.228.4.220/32 +34.228.4.221/32 +34.228.4.222/32 +34.228.4.223/32 +34.250.63.248/32 +34.250.63.249/32 +34.250.63.250/32 +34.250.63.251/32 +34.250.63.252/32 +34.250.63.253/32 +34.250.63.254/32 +34.250.63.255/32 +35.157.127.248/32 +35.157.127.249/32 +35.157.127.250/32 +35.157.127.251/32 +35.157.127.252/32 +35.157.127.253/32 +35.157.127.254/32 +35.157.127.255/32 +35.176.92.32/32 +35.176.92.33/32 +35.176.92.34/32 +35.176.92.35/32 +35.176.92.36/32 +35.176.92.37/32 +35.176.92.38/32 +35.176.92.39/32 +35.182.14.48/32 +35.182.14.49/32 +35.182.14.50/32 +35.182.14.51/32 +35.182.14.52/32 +35.182.14.53/32 +35.182.14.54/32 +35.182.14.55/32 +52.15.247.208/32 +52.15.247.209/32 +52.15.247.210/32 +52.15.247.211/32 +52.15.247.212/32 +52.15.247.213/32 +52.15.247.214/32 +52.15.247.215/32 +52.43.76.88/32 +52.43.76.89/32 +52.43.76.90/32 +52.43.76.91/32 +52.43.76.92/32 +52.43.76.93/32 +52.43.76.94/32 +52.43.76.95/32 +52.47.73.72/32 +52.47.73.73/32 +52.47.73.74/32 +52.47.73.75/32 +52.47.73.76/32 +52.47.73.77/32 +52.47.73.78/32 +52.47.73.79/32 +52.221.221.128/32 +52.221.221.129/32 +52.221.221.130/32 +52.221.221.131/32 +52.221.221.132/32 +52.221.221.133/32 +52.221.221.134/32 +52.221.221.135/32 +177.71.207.16/32 +177.71.207.17/32 +177.71.207.18/32 +177.71.207.19/32 +177.71.207.20/32 +177.71.207.21/32 +177.71.207.22/32 +177.71.207.23/32 +51.149.250.0/24 +51.149.249.0/29 +194.33.249.0/29 +51.149.249.32/29 +194.33.248.0/29 +20.49.214.199/32 +20.49.214.228/32 \ No newline at end of file diff --git a/terraform/environments/apex/waf.tf b/terraform/environments/apex/waf.tf new file mode 100644 index 00000000000..7ef4baf9a2b --- /dev/null +++ b/terraform/environments/apex/waf.tf @@ -0,0 +1,96 @@ +# resource "aws_waf_ipset" "wafmanualallowset" { +# name = "${upper(local.application_name)} Manual Allow Set" +# # description = "" +# # scope = "CLOUDFRONT" +# provider = aws.us-east-1 +# # ip_address_version = "IPV4" +# addresses = [for ip in split("\n", chomp(file("${path}/aws_waf_ipset.txt"))) : ip] +# } + +locals { +ip_set_list = [for ip in split("\n", chomp(file("${path.module}/aws_waf_ipset.txt"))) : ip] +} + +resource "aws_waf_ipset" "wafmanualallowset" { + name = "${upper(local.application_name)} Manual Allow Set" + + # Ranges from https://github.com/ministryofjustice/laa-apex/blob/master/aws/application/application_stack.template + # removed redundant ip addresses such as RedCentric access and AWS Holborn offices + + dynamic "ip_set_descriptors" { + for_each = local.ip_set_list + content { + type = "IPV4" + value = ip_set_descriptors.value + } + } +} + +resource "aws_waf_ipset" "wafmanualblockset" { + name = "${upper(local.application_name)} Manual Block Set" +} + +resource "aws_waf_rule" "wafmanualallowrule" { + depends_on = [aws_waf_ipset.wafmanualallowset] + name = "${upper(local.application_name)} Manual Allow Rule" + metric_name = "${upper(local.application_name)}ManualAllowRule" + + predicates { + data_id = aws_waf_ipset.wafmanualallowset.id + negated = false + type = "IPMatch" + } +} + +resource "aws_waf_rule" "wafmanualblockrule" { + depends_on = [aws_waf_ipset.wafmanualblockset] + name = "${upper(local.application_name)} Manual Block Rule" + metric_name = "${upper(local.application_name)}ManualBlockRule" + + predicates { + data_id = aws_waf_ipset.wafmanualblockset.id + negated = false + type = "IPMatch" + } +} + +resource "aws_waf_web_acl" "waf_acl" { + depends_on = [ + aws_waf_rule.wafmanualallowrule, + aws_waf_rule.wafmanualblockrule, + ] + name = "${upper(local.application_name)} Whitelisting Requesters" + metric_name = "${upper(local.application_name)}WhitelistingRequesters" +# scope = "CLOUDFRONT" +# provider = aws.us-east-1 +default_action { + type = "BLOCK" + } + +rules { + action { + type = "ALLOW" + } + priority = 1 + rule_id = aws_waf_rule.wafmanualallowrule.id + type = "REGULAR" + } + +rules { + action { + type = "BLOCK" + } + priority = 2 + rule_id = aws_waf_rule.wafmanualblockrule.id + type = "REGULAR" + } +} + + + + + + + + +