Skip to content

Commit a92efc9

Browse files
lycbrianlycbrian
authored
Merge pull request #5 from oozou/feat/waf-support-custom-rule
feat: waf support custom rule
2 parents f7cc74f + 55179dd commit a92efc9

File tree

16 files changed

+1171
-255
lines changed

16 files changed

+1171
-255
lines changed

README.md

Lines changed: 208 additions & 60 deletions
Original file line numberDiff line numberDiff line change
@@ -2,71 +2,219 @@
22

33
Terraform module with create vpc and subnet resources on AWS.
44

5-
## Usage
5+
## Custom Rules Usage
66

77
```terraform
8-
module "waf" {
9-
source = "git::ssh://git@github.com:oozou/terraform-aws-waf.git"
10-
name = "test-waf"
11-
prefix = "oozou"
12-
is_enable_default_rule = true
13-
is_enable_sampled_requests = false
14-
is_enable_cloudwatch_metrics = false
15-
is_create_logging_configuration = true
16-
scope = "CLOUDFRONT"
17-
environment = "dev"
18-
managed_rules = [
19-
{
20-
name = "AWSManagedRulesAdminProtectionRuleSet",
21-
priority = 60
22-
override_action = "none"
23-
excluded_rules = []
24-
}
25-
]
26-
ip_sets_rule = [
27-
{
28-
name = "block-ip-set"
29-
priority = 6
30-
action = "block"
31-
ip_address_version = "IPV4"
32-
ip_set = ["10.0.1.1/32"]
33-
}
34-
]
35-
ip_rate_based_rule = {
36-
name : "ip-rate-limit",
37-
priority : 7,
38-
action : "block",
39-
limit : 100
40-
}
41-
redacted_fields = [
42-
{
43-
single_header = {
44-
name = "user-agent"
8+
waf_custom_rules = [
9+
{
10+
name = "match-originate-from-an-ip-addresses-in-rule" #
11+
priority = 10 ##
12+
action = "count" # {count, allow, block}
13+
expression_type = "match-statement" ##
14+
statements = [ ##
15+
{
16+
inspect = "originate-from-an-ip-addresses-in" ##
17+
ip_set_key = "oozou-vpn-ipv4-set" # Match above
4518
}
46-
}
47-
]
48-
49-
logging_filter = {
50-
default_behavior = "DROP"
51-
filter = [
52-
{
53-
behavior = "KEEP"
54-
requirement = "MEETS_ANY"
55-
condition = [
56-
{
57-
action_condition = {
58-
action = "ALLOW"
59-
}
60-
},
61-
]
19+
]
20+
},
21+
{
22+
name = "match-originate-from-a-country-in-rule" #
23+
priority = 20 ##
24+
action = "count" # {count, allow, block}
25+
expression_type = "match-statement" ##
26+
statements = [ ##
27+
{
28+
inspect = "originate-from-a-country-in" ##
29+
country_codes = ["TH"]
30+
}
31+
]
32+
},
33+
{
34+
name = "match-has-a-label-rule" #
35+
priority = 30 ##
36+
action = "count" # {count, allow, block}
37+
expression_type = "match-statement" ##
38+
statements = [ ##
39+
{
40+
inspect = "has-a-label" ##
41+
scope = "LABEL"
42+
key = "awswaf:managed:aws:core-rule-set:GenericLFI_URIPath"
43+
}
44+
]
45+
},
46+
/* -------------------------------------------------------------------------- */
47+
/* Strgin Match Condition Example */
48+
/* -------------------------------------------------------------------------- */
49+
{
50+
name = "match-request-component-single-header-rule" #
51+
priority = 40 ##
52+
action = "count" # {count, allow, block}
53+
expression_type = "match-statement" ##
54+
statements = [ ##
55+
{
56+
inspect = "single-header" ##
57+
header_name = "host"
58+
positional_constraint = "CONTAINS"
59+
search_string = "STRING_TO_SEARCH"
60+
}
61+
]
62+
},
63+
{
64+
## Not available (just for test case)
65+
name = "match-request-component-all-headers-rule" #
66+
priority = 41 ##
67+
action = "count" # {count, allow, block}
68+
expression_type = "match-statement" ##
69+
statements = [ ##
70+
{
71+
inspect = "all-headers" ##
72+
positional_constraint = "CONTAINS"
73+
search_string = "STRING_TO_SEARCH"
74+
}
75+
]
76+
},
77+
{
78+
## Not available (just for test case)
79+
name = "match-request-component-cookies-rule" #
80+
priority = 42 ##
81+
action = "count" # {count, allow, block}
82+
expression_type = "match-statement" ##
83+
statements = [ ##
84+
{
85+
inspect = "cookies" ##
86+
positional_constraint = "CONTAINS"
87+
search_string = "STRING_TO_SEARCH"
88+
}
89+
]
90+
},
91+
{
92+
name = "match-request-component-single-query-parameter-rule" #
93+
priority = 43 ##
94+
action = "count" # {count, allow, block}
95+
expression_type = "match-statement" ##
96+
statements = [ ##
97+
{
98+
inspect = "single-query-parameter" ##
99+
positional_constraint = "CONTAINS"
100+
search_string = "STRING_TO_SEARCH"
101+
query_string_name = "user"
102+
}
103+
]
104+
},
105+
{
106+
name = "match-request-component-all-query-parameters-rule" #
107+
priority = 44 ##
108+
action = "count" # {count, allow, block}
109+
expression_type = "match-statement" ##
110+
statements = [ ##
111+
{
112+
inspect = "all-query-parameters" ##
113+
positional_constraint = "CONTAINS"
114+
search_string = "STRING_TO_SEARCH"
115+
}
116+
]
117+
},
118+
{
119+
name = "match-request-component-uri-path-rule" #
120+
priority = 45 ##
121+
action = "count" # {count, allow, block}
122+
expression_type = "match-statement" ##
123+
statements = [ ##
124+
{
125+
inspect = "uri-path" ##
126+
positional_constraint = "CONTAINS"
127+
search_string = "STRING_TO_SEARCH"
128+
}
129+
]
130+
},
131+
{
132+
name = "match-request-component-query-string-rule" #
133+
priority = 46 ##
134+
action = "count" # {count, allow, block}
135+
expression_type = "match-statement" ##
136+
statements = [ ##
137+
{
138+
inspect = "query-string" ##
139+
positional_constraint = "CONTAINS"
140+
search_string = "STRING_TO_SEARCH"
141+
}
142+
]
143+
},
144+
## Not available (just for test case)
145+
{
146+
name = "match-request-component-body-rule" #
147+
priority = 47 ##
148+
action = "count" # {count, allow, block}
149+
expression_type = "match-statement" ##
150+
statements = [ ##
151+
{
152+
inspect = "body" ##
153+
positional_constraint = "CONTAINS"
154+
search_string = "STRING_TO_SEARCH"
155+
}
156+
]
157+
},
158+
{
159+
## Not available (just for test case)
160+
name = "match-request-component-json-body-rule" #
161+
priority = 48 ##
162+
action = "count" # {count, allow, block}
163+
expression_type = "match-statement" ##
164+
statements = [ ##
165+
{
166+
inspect = "json-body" ##
167+
positional_constraint = "CONTAINS"
168+
search_string = "STRING_TO_SEARCH"
169+
}
170+
]
171+
},
172+
{
173+
name = "match-request-component-http-method-rule" #
174+
priority = 49 ##
175+
action = "count" # {count, allow, block}
176+
expression_type = "match-statement" ##
177+
statements = [ ##
178+
{
179+
inspect = "http-method" ##
180+
positional_constraint = "CONTAINS"
181+
search_string = "post"
182+
}
183+
]
184+
},
185+
/* -------------------------------------------------------------------------- */
186+
/* And Statement */
187+
/* -------------------------------------------------------------------------- */
188+
{
189+
name = "match-request-component-http-method-rule" #
190+
priority = 50 ##
191+
action = "count" # {count, allow, block}
192+
expression_type = "and-statements" ##
193+
statements = [ ##
194+
{
195+
inspect = "http-method" ##
196+
is_negated_statement = false
197+
positional_constraint = "CONTAINS"
198+
search_string = "post"
199+
},
200+
{
201+
inspect = "single-header" ##
202+
header_name = "host"
203+
is_negated_statement = true
204+
positional_constraint = "CONTAINS"
205+
search_string = "STRING_TO_SEARCH"
206+
},
207+
{
208+
inspect = "originate-from-an-ip-addresses-in" ##
209+
ip_set_key = "oozou-vpn-ipv4-set"
210+
},
211+
{
212+
inspect = "originate-from-a-country-in" ##
213+
country_codes = ["TH"]
62214
}
63215
]
64-
}
65-
association_resources = "arn:xxxxx"
66-
tags = {
67-
"Custom-Tag" = "1"
68-
}
69-
}
216+
},
217+
]
70218
```
71219

72220
<!-- BEGIN_TF_DOCS -->

examples/complete/README.md

Lines changed: 56 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,56 @@
1+
<!-- BEGIN_TF_DOCS -->
2+
## Requirements
3+
4+
| Name | Version |
5+
|---------------------------------------------------------------------------|-------------------|
6+
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
7+
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.0.0, < 5.0.0 |
8+
| <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.3.0 |
9+
10+
## Providers
11+
12+
| Name | Version |
13+
|------------------------------------------------------------------------------|---------|
14+
| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.67.0 |
15+
| <a name="provider_aws.virginia"></a> [aws.virginia](#provider\_aws.virginia) | 4.67.0 |
16+
17+
## Modules
18+
19+
| Name | Source | Version |
20+
|--------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------|------------------------------------------|
21+
| <a name="module_cloudfront_distribution"></a> [cloudfront\_distribution](#module\_cloudfront\_distribution) | oozou/cloudfront/aws | 1.1.0 |
22+
| <a name="module_fargate_cluster"></a> [fargate\_cluster](#module\_fargate\_cluster) | oozou/ecs-fargate-cluster/aws | 1.0.8 |
23+
| <a name="module_s3_alb_log_bucket"></a> [s3\_alb\_log\_bucket](#module\_s3\_alb\_log\_bucket) | oozou/s3/aws | 1.1.5 |
24+
| <a name="module_s3_cloudfront_log_bucket"></a> [s3\_cloudfront\_log\_bucket](#module\_s3\_cloudfront\_log\_bucket) | oozou/s3/aws | 1.1.5 |
25+
| <a name="module_vpc"></a> [vpc](#module\_vpc) | oozou/vpc/aws | 1.2.5 |
26+
| <a name="module_web_service"></a> [web\_service](#module\_web\_service) | git@github.com:oozou/terraform-aws-ecs-fargate-service.git | feat/support-multiple-sidecard-container |
27+
28+
## Resources
29+
30+
| Name | Type |
31+
|---------------------------------------------------------------------------------------------------------------------------------------------------|-------------|
32+
| [aws_acm_certificate.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate) | resource |
33+
| [aws_acm_certificate.virginia](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate) | resource |
34+
| [aws_acm_certificate_validation.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate_validation) | resource |
35+
| [aws_acm_certificate_validation.virginia](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate_validation) | resource |
36+
| [aws_route53_record.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
37+
| [aws_route53_record.virginia](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
38+
| [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
39+
| [aws_iam_policy_document.alb_log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
40+
| [aws_iam_policy_document.cloudfront_log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
41+
| [aws_region.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
42+
| [aws_route53_zone.selected_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source |
43+
44+
## Inputs
45+
46+
| Name | Description | Type | Default | Required |
47+
|-----------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------|---------------|---------|:--------:|
48+
| <a name="input_custom_tags"></a> [custom\_tags](#input\_custom\_tags) | Custom tags which can be passed on to the AWS resources. They should be key value pairs having distinct keys. | `map(string)` | `{}` | no |
49+
| <a name="input_environment"></a> [environment](#input\_environment) | [Required] Name prefix used for resource naming in this component | `string` | n/a | yes |
50+
| <a name="input_name"></a> [name](#input\_name) | [Required] Name of Platfrom or application | `string` | n/a | yes |
51+
| <a name="input_prefix"></a> [prefix](#input\_prefix) | [Required] Name prefix used for resource naming in this component | `string` | n/a | yes |
52+
53+
## Outputs
54+
55+
No outputs.
56+
<!-- END_TF_DOCS -->

0 commit comments

Comments
 (0)