generated from ministryofjustice/template-repository
-
Notifications
You must be signed in to change notification settings - Fork 20
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: add waf acl rules using MP module (#8146)
* feat: enable optional logging for waf acl and update the docs * docs: update TF_DOCS * fix: added count but forgot to add resource index * feat: add waf acl rules using MP module * feat: enable logging
- Loading branch information
1 parent
994c1c5
commit e1b5b8d
Showing
4 changed files
with
117 additions
and
57 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,67 +1,74 @@ | ||
resource "aws_wafv2_web_acl" "this" { | ||
name = "${local.application_name}-acl" | ||
description = "Web ACL for ${local.application_name}" | ||
scope = "REGIONAL" | ||
default_action { | ||
allow {} | ||
module "shield" { | ||
source = "../../modules/shield_advanced" | ||
|
||
providers = { | ||
aws.modernisation-platform = aws.modernisation-platform | ||
} | ||
rule { | ||
name = "AWSManagedRulesCommonRuleSet" | ||
priority = 0 | ||
override_action { | ||
# Dont do anything but count requests that match the rules in the ruleset | ||
count {} | ||
} | ||
statement { | ||
managed_rule_group_statement { | ||
name = "AWSManagedRulesCommonRuleSet" | ||
vendor_name = "AWS" | ||
} | ||
} | ||
visibility_config { | ||
cloudwatch_metrics_enabled = true | ||
metric_name = "${local.application_name}-common-ruleset" | ||
sampled_requests_enabled = true | ||
|
||
application_name = local.application_name | ||
|
||
enable_logging = true | ||
|
||
resources = { | ||
alb = { | ||
arn = aws_lb.external.arn | ||
} | ||
} | ||
rule { | ||
name = "AWSManagedRulesSQLiRuleSet" | ||
priority = 1 | ||
override_action { | ||
# Dont do anything but count requests that match the rules in the ruleset | ||
count {} | ||
} | ||
statement { | ||
managed_rule_group_statement { | ||
name = "AWSManagedRulesSQLiRuleSet" | ||
vendor_name = "AWS" | ||
|
||
waf_acl_rules = { | ||
AWSManagedRulesCommonRuleSet = { | ||
"action" = "count" | ||
"name" = "AWSManagedRulesCommonRuleSet" | ||
"priority" = 0 | ||
"threshold" = 1000 | ||
"statement" = { | ||
"managed_rule_group_statement" = { | ||
"name" = "AWSManagedRulesCommonRuleSet" | ||
"vendor_name" = "AWS" | ||
} | ||
} | ||
"visibility_config" = { | ||
"cloudwatch_metrics_enabled" = true | ||
"metric_name" = "${local.application_name}-common-ruleset" | ||
"sampled_requests_enabled" = true | ||
} | ||
} | ||
visibility_config { | ||
cloudwatch_metrics_enabled = true | ||
metric_name = "${local.application_name}-SQLi-ruleset" | ||
sampled_requests_enabled = true | ||
AWSManagedRulesSQLiRuleSet = { | ||
"action" = "count" | ||
"name" = "AWSManagedRulesSQLiRuleSet" | ||
"priority" = 1 | ||
"threshold" = 1000 | ||
"statement" = { | ||
"managed_rule_group_statement" = { | ||
"name" = "AWSManagedRulesSQLiRuleSet" | ||
"vendor_name" = "AWS" | ||
} | ||
} | ||
"visibility_config" = { | ||
"cloudwatch_metrics_enabled" = true | ||
"metric_name" = "${local.application_name}-SQLi-ruleset" | ||
"sampled_requests_enabled" = true | ||
} | ||
} | ||
} | ||
|
||
tags = local.tags | ||
visibility_config { | ||
cloudwatch_metrics_enabled = true | ||
metric_name = "${local.application_name}-waf-metrics" | ||
sampled_requests_enabled = true | ||
} | ||
} | ||
resource "aws_wafv2_web_acl_association" "this" { | ||
resource_arn = aws_lb.external.arn | ||
web_acl_arn = aws_wafv2_web_acl.this.arn | ||
|
||
data "external" "shield_waf" { | ||
program = [ | ||
"bash", "-c", | ||
"aws wafv2 list-web-acls --scope REGIONAL --output json | jq -c '{arn: .WebACLs[] | select(.Name | contains(\"FMManagedWebACL\")) | .ARN, name: .WebACLs[] | select(.Name | contains(\"FMManagedWebACL\")) | .Name}'" | ||
] | ||
} | ||
|
||
resource "aws_cloudwatch_log_group" "waf" { | ||
name = "aws-waf-logs-${local.application_name}" | ||
retention_in_days = 60 | ||
tags = local.tags | ||
locals { | ||
split_arn = split("regional/webacl/", data.external.shield_waf.result["arn"])[1] | ||
name = data.external.shield_waf.result["name"] | ||
id = split("/", local.split_arn)[1] | ||
scope = "REGIONAL" | ||
|
||
} | ||
resource "aws_wafv2_web_acl_logging_configuration" "waf" { | ||
log_destination_configs = [aws_cloudwatch_log_group.waf.arn] | ||
resource_arn = aws_wafv2_web_acl.this.arn | ||
import { | ||
id = "${local.id}/${local.name}/${local.scope}" | ||
to = module.shield.aws_wafv2_web_acl.main | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters