Skip to content

Instantly share code, notes, and snippets.

@inokappa
Created April 7, 2019 00:54
Show Gist options
  • Save inokappa/bc673b2a4e3af0b7236bcd162248dddb to your computer and use it in GitHub Desktop.
Save inokappa/bc673b2a4e3af0b7236bcd162248dddb to your computer and use it in GitHub Desktop.
AWS WAF を使って ALB に設定されているパス に対して IP 制限を施す Terraform サンプル
resource "aws_wafregional_ipset" "ipset" {
name = "example-IPSet-${terraform.workspace}"
ip_set_descriptor {
type = "IPV4"
value = "xxx.xxx.xxx.xxx/32"
}
ip_set_descriptor {
type = "IPV4"
value = "yyy.yyy.yyy.yyy/32"
}
}
resource "aws_wafregional_byte_match_set" "byte_set" {
name = "example-ByteSet-${terraform.workspace}"
byte_match_tuples {
text_transformation = "NONE"
target_string = "/path1/index.html"
positional_constraint = "CONTAINS"
field_to_match {
type = "URI"
}
}
byte_match_tuples {
text_transformation = "NONE"
target_string = "/path2/index.html"
positional_constraint = "CONTAINS"
field_to_match {
type = "URI"
}
}
}
resource "aws_wafregional_rule" "allow-rule" {
depends_on = ["aws_wafregional_byte_match_set.byte_set", "aws_wafregional_ipset.ipset"]
name = "exampleAllowRule${terraform.workspace}"
metric_name = "exampleAllowRule${terraform.workspace}"
predicate {
data_id = "${aws_wafregional_byte_match_set.byte_set.id}"
negated = false
type = "ByteMatch"
}
predicate {
data_id = "${aws_wafregional_ipset.ipset.id}"
negated = false
type = "IPMatch"
}
}
resource "aws_wafregional_rule" "deny-rule" {
depends_on = ["aws_wafregional_byte_match_set.byte_set"]
name = "exampleDenyRule${terraform.workspace}"
metric_name = "exampleDenyRule${terraform.workspace}"
predicate {
data_id = "${aws_wafregional_byte_match_set.byte_set.id}"
negated = false
type = "ByteMatch"
}
}
resource "aws_wafregional_web_acl" "acl" {
name = "example${terraform.workspace}"
metric_name = "example${terraform.workspace}"
default_action {
type = "ALLOW"
}
rule {
action {
type = "ALLOW"
}
priority = 1
rule_id = "${aws_wafregional_rule.allow-rule.id}"
}
rule {
action {
type = "BLOCK"
}
priority = 2
rule_id = "${aws_wafregional_rule.deny-rule.id}"
}
}
resource "aws_wafregional_web_acl_association" "association" {
resource_arn = "${lookup(var.settings, "${terraform.workspace}.alb_arn")}"
web_acl_id = "${aws_wafregional_web_acl.acl.id}"
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment