Skip to content

Instantly share code, notes, and snippets.

@markz0r
Created July 1, 2019 22:19
Show Gist options
  • Save markz0r/4bf3092a8e8aa8a98a387a2bcb51f494 to your computer and use it in GitHub Desktop.
Save markz0r/4bf3092a8e8aa8a98a387a2bcb51f494 to your computer and use it in GitHub Desktop.
module "aws_waf_owasp_top_10_rules" {
source = "modules/aws_waf_owasp_top_10_rules"
# For a better understanding of what are those parameters mean,
# please read the description of each variable in the variables.tf file:
# https://github.com/traveloka/terraform-aws-waf-owasp-top-10-rules/blob/master/variables.tf
product_domain = "ss"
service_name = "sswaf"
environment = "production"
description = "OWASP Top 10 rules for sonetwaf"
target_scope = "regional"
create_rule_group = "true"
max_expected_uri_size = "512"
max_expected_query_string_size = "1024"
max_expected_body_size = "4096"
max_expected_cookie_size = "4093"
csrf_expected_header = "x-csrf-token"
csrf_expected_size = "36"
}
resource "aws_wafregional_rate_based_rule" "rate_limiter_rule" {
depends_on = ["aws_wafregional_ipset.ss-test-ipset"]
name = "sswaf-rate-limiter-2000-5min"
metric_name = "sswafRateLimiter"
rate_key = "IP"
rate_limit = "2000"
predicate {
data_id = "${aws_wafregional_ipset.ss-test-ipset.id}"
negated = false
type = "IPMatch"
}
}
resource "aws_wafregional_web_acl" "sswaf_webacl" {
name = "sswaf-WebACL"
metric_name = "sswafWebACLMetric"
#logging_configuration {
# Amazon Resource Name (ARN) of Kinesis Firehose Delivery Stream
#log_destination = "${module.webacl_supporting_resources.firehose_delivery_stream_arn}"
#}
default_action {
type = "ALLOW"
}
# Configuration blocks containing rules to associate with the web ACL and the settings for each rule.
rule {
# Specifies the order in which the rules in a WebACL are evaluated.
# Rules with a lower value are evaluated before rules with a higher value.
priority = "0"
rule_id = "${module.aws_waf_owasp_top_10_rules.rule_group_id}"
# Valid values are `GROUP`, `RATE_BASED`, and `REGULAR`. The rule type, either REGULAR, as defined by Rule,
# RATE_BASED, as defined by RateBasedRule,or GROUP, as defined by RuleGroup.
type = "GROUP"
# Only used if type is `GROUP`m Override the action that a group requests CloudFront or AWS WAF takes
# when a web request matches the conditions in the rule.
override_action {
# Valid values are `NONE` and `COUNT`
type = "NONE"
}
}
rule {
priority = "1"
rule_id = "${aws_wafregional_rate_based_rule.rate_limiter_rule.id}"
type = "RATE_BASED"
action {
# Valid values are `ALLOW`, `BLOCK`, and `COUNT`.
type = "BLOCK"
}
}
}
# Only available for regional WAF - association with alb, will enable the WAF WebACL on a certain ALB
resource "aws_wafregional_web_acl_association" "alb" {
resource_arn = "${module.external_lb.default_alb_arn}"
web_acl_id = "${aws_wafregional_web_acl.sswaf_webacl.id}"
}
resource "aws_wafregional_ipset" "ss-test-ipset" {
name = "ss-Test-IPSet"
ip_set_descriptor {
type = "IPV4"
value = "59.299.299.50/32" #FAKE IP
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment