markz0r/main_tf_waf.tf

## main_tf_waf.tf
module "aws_waf_owasp_top_10_rules" {
  source = "modules/aws_waf_owasp_top_10_rules"

  # For a better understanding of what are those parameters mean,
  # please read the description of each variable in the variables.tf file:
  # https://github.com/traveloka/terraform-aws-waf-owasp-top-10-rules/blob/master/variables.tf
  product_domain = "ss"

  service_name                   = "sswaf"
  environment                    = "production"
  description                    = "OWASP Top 10 rules for sonetwaf"
  target_scope                   = "regional"
  create_rule_group              = "true"
  max_expected_uri_size          = "512"
  max_expected_query_string_size = "1024"
  max_expected_body_size         = "4096"
  max_expected_cookie_size       = "4093"
  csrf_expected_header           = "x-csrf-token"
  csrf_expected_size             = "36"
}

resource "aws_wafregional_rate_based_rule" "rate_limiter_rule" {
  depends_on  = ["aws_wafregional_ipset.ss-test-ipset"]
  name        = "sswaf-rate-limiter-2000-5min"
  metric_name = "sswafRateLimiter"
  rate_key    = "IP"
  rate_limit  = "2000"

  predicate {
    data_id = "${aws_wafregional_ipset.ss-test-ipset.id}"
    negated = false
    type    = "IPMatch"
  }
}

resource "aws_wafregional_web_acl" "sswaf_webacl" {
  name        = "sswaf-WebACL"
  metric_name = "sswafWebACLMetric"

  #logging_configuration {
  # Amazon Resource Name (ARN) of Kinesis Firehose Delivery Stream
  #log_destination = "${module.webacl_supporting_resources.firehose_delivery_stream_arn}"
  #}
  default_action {
    type = "ALLOW"
  }

  # Configuration blocks containing rules to associate with the web ACL and the settings for each rule.
  rule {
    # Specifies the order in which the rules in a WebACL are evaluated.
    # Rules with a lower value are evaluated before rules with a higher value.
    priority = "0"

    rule_id = "${module.aws_waf_owasp_top_10_rules.rule_group_id}"

    # Valid values are `GROUP`, `RATE_BASED`, and `REGULAR`. The rule type, either REGULAR, as defined by Rule,
    # RATE_BASED, as defined by RateBasedRule,or GROUP, as defined by RuleGroup.
    type = "GROUP"

    # Only used if type is `GROUP`m Override the action that a group requests CloudFront or AWS WAF takes
    # when a web request matches the conditions in the rule.
    override_action {
      # Valid values are `NONE` and `COUNT`
      type = "NONE"
    }
  }

  rule {
    priority = "1"
    rule_id  = "${aws_wafregional_rate_based_rule.rate_limiter_rule.id}"
    type     = "RATE_BASED"

    action {
      # Valid values are `ALLOW`, `BLOCK`, and `COUNT`.
      type = "BLOCK"
    }
  }
}

# Only available for regional WAF - association with alb, will enable the WAF WebACL on a certain ALB
resource "aws_wafregional_web_acl_association" "alb" {
  resource_arn = "${module.external_lb.default_alb_arn}"
  web_acl_id   = "${aws_wafregional_web_acl.sswaf_webacl.id}"
}

resource "aws_wafregional_ipset" "ss-test-ipset" {
  name = "ss-Test-IPSet"

  ip_set_descriptor {
    type  = "IPV4"
    value = "59.299.299.50/32" #FAKE IP
  }
}
	module "aws_waf_owasp_top_10_rules" {
	source = "modules/aws_waf_owasp_top_10_rules"

	# For a better understanding of what are those parameters mean,
	# please read the description of each variable in the variables.tf file:
	# https://github.com/traveloka/terraform-aws-waf-owasp-top-10-rules/blob/master/variables.tf
	product_domain = "ss"

	service_name = "sswaf"
	environment = "production"
	description = "OWASP Top 10 rules for sonetwaf"
	target_scope = "regional"
	create_rule_group = "true"
	max_expected_uri_size = "512"
	max_expected_query_string_size = "1024"
	max_expected_body_size = "4096"
	max_expected_cookie_size = "4093"
	csrf_expected_header = "x-csrf-token"
	csrf_expected_size = "36"
	}

	resource "aws_wafregional_rate_based_rule" "rate_limiter_rule" {
	depends_on = ["aws_wafregional_ipset.ss-test-ipset"]
	name = "sswaf-rate-limiter-2000-5min"
	metric_name = "sswafRateLimiter"
	rate_key = "IP"
	rate_limit = "2000"

	predicate {
	data_id = "${aws_wafregional_ipset.ss-test-ipset.id}"
	negated = false
	type = "IPMatch"
	}
	}

	resource "aws_wafregional_web_acl" "sswaf_webacl" {
	name = "sswaf-WebACL"
	metric_name = "sswafWebACLMetric"

	#logging_configuration {
	# Amazon Resource Name (ARN) of Kinesis Firehose Delivery Stream
	#log_destination = "${module.webacl_supporting_resources.firehose_delivery_stream_arn}"
	#}
	default_action {
	type = "ALLOW"
	}

	# Configuration blocks containing rules to associate with the web ACL and the settings for each rule.
	rule {
	# Specifies the order in which the rules in a WebACL are evaluated.
	# Rules with a lower value are evaluated before rules with a higher value.
	priority = "0"

	rule_id = "${module.aws_waf_owasp_top_10_rules.rule_group_id}"

	# Valid values are `GROUP`, `RATE_BASED`, and `REGULAR`. The rule type, either REGULAR, as defined by Rule,
	# RATE_BASED, as defined by RateBasedRule,or GROUP, as defined by RuleGroup.
	type = "GROUP"

	# Only used if type is `GROUP`m Override the action that a group requests CloudFront or AWS WAF takes
	# when a web request matches the conditions in the rule.
	override_action {
	# Valid values are `NONE` and `COUNT`
	type = "NONE"
	}
	}

	rule {
	priority = "1"
	rule_id = "${aws_wafregional_rate_based_rule.rate_limiter_rule.id}"
	type = "RATE_BASED"

	action {
	# Valid values are `ALLOW`, `BLOCK`, and `COUNT`.
	type = "BLOCK"
	}
	}
	}

	# Only available for regional WAF - association with alb, will enable the WAF WebACL on a certain ALB
	resource "aws_wafregional_web_acl_association" "alb" {
	resource_arn = "${module.external_lb.default_alb_arn}"
	web_acl_id = "${aws_wafregional_web_acl.sswaf_webacl.id}"
	}

	resource "aws_wafregional_ipset" "ss-test-ipset" {
	name = "ss-Test-IPSet"

	ip_set_descriptor {
	type = "IPV4"
	value = "59.299.299.50/32" #FAKE IP
	}
	}