@@ -7,117 +7,153 @@ provider "aws" {
77 region = " us-east-1"
88}
99
10- module "waf_cloudfront " {
10+ module "waf_alb " {
1111 source = " ../.."
1212
1313 prefix = . prefix
1414 environment = . environment
1515 name = . name
1616
17- scope = " CLOUDFRONT" # To work with CloudFront, you must also specify the region us-east-1 (N. Virginia) on the AWS provider.
17+ scope = " REGIONAL"
18+
19+ managed_rules =
20+ {
21+ name = " AWSManagedRulesCommonRuleSet"
22+ priority = 10
23+ override_action = " none"
24+ excluded_rules = []
25+ }
26+ ]
27+
28+ custom_response_body =
29+ {
30+ key = " custom-response"
31+ content = << EOL
32+ {
33+ "data": {
34+ "code": "OUT_OF_THAILAND"
35+ }
36+ }
37+ EOL
38+ content_type = " APPLICATION_JSON"
39+ }
40+ ]
1841
1942 ip_set =
20- " admin-vpn -ipv4-set" = {
43+ " allow -ipv4-set" = {
2144 ip_addresses = [" 127.0.0.1/32" " 127.0.0.2/32" " 127.0.0.3/32" " 127.0.0.4/32" " 127.0.0.5/32"
2245 ip_address_version = " IPV4"
2346 },
24- " admin-vpn -ipv6-set" = {
47+ " allow -ipv6-set" = {
2548 ip_addresses = [" 1234:5678:9101:1121:3141:5161:7181:9202/128"
2649 ip_address_version = " IPV6"
2750 }
2851 }
52+
2953 custom_rules =
3054 {
31- name = " control -access-to-cms-admin-page-rule " #
32- priority = 70 # #
33- action = " block " # {count, allow, block}
34- expression_type = " and -statements" # #
35- statements = [ # #
55+ name = " allow -access-to-public-path " #
56+ priority = 70 # #
57+ action = " allow " # {count, allow, block}
58+ expression_type = " or -statements" # #
59+ statements = [ # #
3660 {
37- inspect = " single-header"
38- header_name = " host"
39- positional_constraint = " CONTAINS"
40- search_string = " cms.mobilethuat.starbuckscard.in.th"
61+ inspect = " uri-path"
62+ positional_constraint = " STARTS_WITH"
63+ search_string = " /uploads"
4164 },
65+ {
66+ inspect = " uri-path"
67+ positional_constraint = " STARTS_WITH"
68+ search_string = " /images"
69+ },
70+ ]
71+ },
72+ {
73+ name = " allow-access-from-vpn" #
74+ priority = 80 # #
75+ action = " allow" # {count, allow, block}
76+ expression_type = " or-statements" # #
77+ statements = [ # #
4278 {
4379 inspect = " originate-from-an-ip-addresses-in"
4480 is_negated_statement = true
45- ip_set_key = " admin-vpn -ipv4-set"
81+ ip_set_key = " allow -ipv4-set"
4682 },
4783 {
4884 inspect = " originate-from-an-ip-addresses-in"
4985 is_negated_statement = true
50- ip_set_key = " admin-vpn -ipv6-set"
51- }
86+ ip_set_key = " allow -ipv6-set"
87+ },
5288 ]
5389 },
54- ]
55-
56- providers =
57- aws = aws.virginia
58- }
59-
60- tags = . custom_tags
61- }
62-
63-
64- module "waf_alb" {
65- source = " ../.."
66-
67- prefix = . prefix
68- environment = . environment
69- name = . name
70-
71- scope = " REGIONAL"
72-
73- managed_rules =
7490 {
75- name = " AWSManagedRulesCommonRuleSet"
76- priority = 10
77- override_action = " none"
78- excluded_rules = []
79- }
80- ]
81-
82- ip_set =
83- " admin-vpn-ipv4-set" = {
84- ip_addresses = [" 127.0.0.1/32" " 127.0.0.2/32" " 127.0.0.3/32" " 127.0.0.4/32" " 127.0.0.5/32"
85- ip_address_version = " IPV4"
91+ name = " allow-access-from-3rd" #
92+ priority = 90 # #
93+ action = " allow" # {count, allow, block}
94+ expression_type = " or-statements" # #
95+ statements = [ # #
96+ # If 3rd only use, api uri we can add it to statement
97+ {
98+ inspect = " originate-from-an-ip-addresses-in"
99+ is_negated_statement = true
100+ ip_set_key = " allow-ipv4-set"
101+ # ip_set_key = "allow-3rd-ipv4-set"
102+ },
103+ {
104+ inspect = " originate-from-an-ip-addresses-in"
105+ is_negated_statement = true
106+ ip_set_key = " allow-ipv6-set"
107+ # ip_set_key = "allow-3rd-ipv6-set"
108+ },
109+ ]
86110 },
87- " admin-vpn-ipv6-set" = {
88- ip_addresses = [" 1234:5678:9101:1121:3141:5161:7181:9202/128"
89- ip_address_version = " IPV6"
90- }
91- }
92-
93- custom_rules =
94111 {
95- name = " control-access-to-cms-admin-page-rule " #
96- priority = 70 # #
97- action = " block" # {count, allow, block}
98- expression_type = " and-statements" # #
99- statements = [ # #
112+ name = " control-access-to-cms-admin-page" #
113+ priority = 100 # #
114+ action = " block" # {count, allow, block}
115+ expression_type = " and-statements" # #
116+ statements = [ # #
100117 {
101118 inspect = " single-header"
102119 header_name = " host"
103120 positional_constraint = " CONTAINS"
104- search_string = " cms.mobilethuat.starbuckscard.in.th "
121+ search_string = " xxx.com "
105122 },
106123 {
107124 inspect = " originate-from-an-ip-addresses-in"
108125 is_negated_statement = true
109- ip_set_key = " admin-vpn -ipv4-set"
126+ ip_set_key = " allow -ipv4-set"
110127 },
111128 {
112129 inspect = " originate-from-an-ip-addresses-in"
113130 is_negated_statement = true
114- ip_set_key = " admin-vpn -ipv6-set"
131+ ip_set_key = " allow -ipv6-set"
115132 }
116133 ]
117134 },
135+ {
136+ name = " control-access-to-api-from-geo" #
137+ priority = 110 # #
138+ action = " block" # {count, allow, block}
139+ expression_type = " and-statements" # #
140+ statements = [ # #
141+ {
142+ inspect = " single-header"
143+ header_name = " host"
144+ positional_constraint = " CONTAINS"
145+ search_string = " xxx.com"
146+ },
147+ {
148+ inspect = " originate-from-a-country-in"
149+ is_negated_statement = true
150+ country_codes = [" TH"
151+ }
152+ ]
153+ }
118154 ]
119155
120- association_resources = " arn:aws:elasticloadbalancing:ap-southeast-1:xxxx :loadbalancer/app/xxxxx "
156+ association_resources = " arn:aws:elasticloadbalancing:ap-southeast-1:xxx :loadbalancer/app/xxx "
121157
122158 tags = . custom_tags
123159}
0 commit comments