Skip to content

Instantly share code, notes, and snippets.

@cm-kajiwara-taishi
Created November 15, 2019 11:23
Show Gist options
  • Save cm-kajiwara-taishi/3e705b00739bc6bd812b635166981f0e to your computer and use it in GitHub Desktop.
Save cm-kajiwara-taishi/3e705b00739bc6bd812b635166981f0e to your computer and use it in GitHub Desktop.
cloudformation-waf-uri-ipsets-rule
AWSTemplateFormatVersion: 2010-09-09
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: "WebACL"
Parameters:
- CreateWebACL
- WebACLDefaultAction
- Label:
default: "IP Addresses"
Parameters:
- IPAddress1
- IPAddress2
- IPAddress3
- Label:
default: "URI1"
Parameters:
- MatchType1
- URI1
- Label:
default: "URI2"
Parameters:
- MatchType2
- URI2
- Label:
default: "URI3"
Parameters:
- MatchType3
- URI3
Parameters:
CreateWebACL:
Type: String
Default: 'Yes'
AllowedValues: ['Yes','No']
WebACLDefaultAction:
Type: String
Default: ALLOW
AllowedValues: [ALLOW,BLOCK]
IPAddress1:
Type: String
Default: ''
IPAddress2:
Type: String
Default: ''
IPAddress3:
Type: String
Default: ''
URI1:
Type: String
URI2:
Type: String
URI3:
Type: String
MatchType1:
Type: String
Default: ''
AllowedValues: ['','CONTAINS','CONTAINS_WORD','EXACTLY','STARTS_WITH','ENDS_WITH']
MatchType2:
Type: String
Default: ''
AllowedValues: ['','CONTAINS','CONTAINS_WORD','EXACTLY','STARTS_WITH','ENDS_WITH']
MatchType3:
Type: String
Default: ''
AllowedValues: ['','CONTAINS','CONTAINS_WORD','EXACTLY','STARTS_WITH','ENDS_WITH']
Conditions:
CreateWebACL: !Equals [ !Ref CreateWebACL, 'Yes' ]
HasIPAddress1: !Not [!Equals [!Ref IPAddress1, '']]
HasIPAddress2: !Not [!Equals [!Ref IPAddress2, '']]
HasIPAddress3: !Not [!Equals [!Ref IPAddress3, '']]
HasFieldToMatch1: !Not [!Equals [!Ref MatchType1, '']]
HasFieldToMatch2: !Not [!Equals [!Ref MatchType2, '']]
HasFieldToMatch3: !Not [!Equals [!Ref MatchType3, '']]
Resources:
WAFURISet:
Type: 'AWS::WAF::ByteMatchSet'
Properties:
ByteMatchTuples:
- !If
- HasFieldToMatch1
- FieldToMatch:
Type: URI
PositionalConstraint:
!Ref MatchType1
TargetString:
!Ref URI1
TextTransformation: NONE
- !Ref AWS::NoValue
- !If
- HasFieldToMatch2
- FieldToMatch:
Type: URI
PositionalConstraint:
!Ref MatchType2
TargetString:
!Ref URI2
TextTransformation: NONE
- !Ref AWS::NoValue
- !If
- HasFieldToMatch3
- FieldToMatch:
Type: URI
PositionalConstraint:
!Ref MatchType3
TargetString:
!Ref URI3
TextTransformation: NONE
- !Ref AWS::NoValue
Name: !Sub '${AWS::StackName} - URI Set'
WAFIPSet:
Type: 'AWS::WAF::IPSet'
Properties:
IPSetDescriptors:
- !If
- HasIPAddress1
- Type: IPV4
Value: !Ref IPAddress1
- !Ref AWS::NoValue
- !If
- HasIPAddress2
- Type: IPV4
Value: !Ref IPAddress2
- !Ref AWS::NoValue
- !If
- HasIPAddress3
- Type: IPV4
Value: !Ref IPAddress3
- !Ref AWS::NoValue
Name: !Sub '${AWS::StackName} - IP Set'
WAFAllowRule:
Type: 'AWS::WAF::Rule'
Properties:
Name: !Sub '${AWS::StackName} - Allow Path And IP Rule'
MetricName: !Join ['', [!Join ['', !Split ['-', !Ref 'AWS::StackName']], 'AllowPathIPlistRule']]
Predicates:
- DataId: !Ref WAFURISet
Negated: false
Type: ByteMatch
- DataId: !Ref WAFIPSet
Negated: false
Type: IPMatch
WAFBlockRule:
Type: 'AWS::WAF::Rule'
Properties:
Name: !Sub '${AWS::StackName} - Block Path And Not IP Rule'
MetricName: !Join ['', [!Join ['', !Split ['-', !Ref 'AWS::StackName']], 'BlockPathIPlistRule']]
Predicates:
- DataId: !Ref WAFURISet
Negated: false
Type: ByteMatch
- DataId: !Ref WAFIPSet
Negated: true
Type: IPMatch
WAFWebACL:
Condition: CreateWebACL
Type: 'AWS::WAF::WebACL'
Properties:
Name: !Ref 'AWS::StackName'
DefaultAction:
Type: !Ref WebACLDefaultAction
MetricName: !Join ['', [!Join ['', !Split ['-', !Ref 'AWS::StackName']], 'Metric']]
Rules:
- Action:
Type: ALLOW
Priority: 10
RuleId: !Ref WAFAllowRule
- Action:
Type: BLOCK
Priority: 20
RuleId: !Ref WAFBlockRule
Outputs:
WAFAllowRule:
Value: !Ref WAFAllowRule
WAFBlockRule:
Value: !Ref WAFBlockRule
WAFWebACL:
Condition: CreateWebACL
Value: !Ref WAFWebACL
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment