-
-
Save sivanovhm/ac63983baebdff2d577f4e760b0c5260 to your computer and use it in GitHub Desktop.
aws_wafv2_web_acl config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| resource "aws_wafv2_web_acl" "cloudfront" { | |
| provider = aws.us-east-1 | |
| count = var.create_cloudfront == "yes" ? 1 : 0 | |
| name = var.name | |
| scope = "CLOUDFRONT" | |
| tags = { | |
| Stack = var.name | |
| } | |
| default_action { | |
| allow {} | |
| } | |
| dynamic "rule" { | |
| for_each = var.wafv2_web_acl_extra_rules | |
| content { | |
| name = rule.value["name"] | |
| override_action { | |
| none {} | |
| } | |
| priority = rule.value["priority"] | |
| statement { | |
| rule_group_reference_statement { | |
| arn = rule.value["rule_group_arn"] | |
| } | |
| } | |
| visibility_config { | |
| cloudwatch_metrics_enabled = true | |
| metric_name = rule.value["name"] | |
| sampled_requests_enabled = false | |
| } | |
| } | |
| } | |
| rule { | |
| name = "AWSManagedRulesAmazonIpReputationList" | |
| priority = 1001 | |
| override_action { | |
| none {} | |
| } | |
| statement { | |
| managed_rule_group_statement { | |
| name = "AWSManagedRulesAmazonIpReputationList" | |
| vendor_name = "AWS" | |
| } | |
| } | |
| visibility_config { | |
| cloudwatch_metrics_enabled = true | |
| metric_name = "AWSManagedRulesAmazonIpReputationList" | |
| sampled_requests_enabled = false | |
| } | |
| } | |
| rule { | |
| name = "CommonRules" | |
| priority = 1002 | |
| override_action { | |
| none {} | |
| } | |
| statement { | |
| rule_group_reference_statement { | |
| arn = data.aws_wafv2_rule_group.common_rules.arn | |
| } | |
| } | |
| visibility_config { | |
| cloudwatch_metrics_enabled = true | |
| metric_name = "CommonRules" | |
| sampled_requests_enabled = false | |
| } | |
| } | |
| rule { | |
| name = "HTTPFloodRateLimitingRule" | |
| priority = 1003 | |
| action { | |
| block {} | |
| } | |
| statement { | |
| rate_based_statement { | |
| aggregate_key_type = "IP" | |
| limit = var.wafv2_http_floodrate_limit | |
| scope_down_statement { | |
| and_statement { | |
| dynamic "statement" { | |
| for_each = var.wafv2_http_floodrate_whitelisted_ip_set_arn != "" ? [1] : [] | |
| content { | |
| not_statement { | |
| statement { | |
| ip_set_reference_statement { | |
| arn = var.wafv2_http_floodrate_whitelisted_ip_set_arn | |
| } | |
| } | |
| } | |
| } | |
| } | |
| dynamic "statement" { | |
| for_each = var.wafv2_http_floodrate_whitelisted_uri != "" || var.wafv2_http_floodrate_whitelisted_uri_positional_constraint != "" ? [1] : [] | |
| content { | |
| not_statement { | |
| statement { | |
| byte_match_statement { | |
| positional_constraint = var.wafv2_http_floodrate_whitelisted_uri_positional_constraint | |
| search_string = var.wafv2_http_floodrate_whitelisted_uri | |
| field_to_match { | |
| uri_path {} | |
| } | |
| text_transformation { | |
| priority = 0 | |
| type = "LOWERCASE" | |
| } | |
| } | |
| } | |
| } | |
| } | |
| } | |
| statement { | |
| not_statement { | |
| statement { | |
| byte_match_statement { | |
| positional_constraint = "CONTAINS" | |
| search_string = "wordpress_logged_in_" | |
| field_to_match { | |
| single_header { | |
| name = "cookie" | |
| } | |
| } | |
| text_transformation { | |
| priority = 0 | |
| type = "LOWERCASE" | |
| } | |
| } | |
| } | |
| } | |
| } | |
| statement { | |
| not_statement { | |
| statement { | |
| byte_match_statement { | |
| positional_constraint = "CONTAINS" | |
| search_string = "wp-admin/" | |
| field_to_match { | |
| uri_path {} | |
| } | |
| text_transformation { | |
| priority = 0 | |
| type = "LOWERCASE" | |
| } | |
| } | |
| } | |
| } | |
| } | |
| } | |
| } | |
| } | |
| } | |
| visibility_config { | |
| cloudwatch_metrics_enabled = true | |
| metric_name = "HTTPFloodRateLimitingRule" | |
| sampled_requests_enabled = false | |
| } | |
| } | |
| rule { | |
| name = "AWSManagedRulesPHPRuleSet" | |
| priority = 1004 | |
| override_action { | |
| none {} | |
| } | |
| statement { | |
| managed_rule_group_statement { | |
| name = "AWSManagedRulesPHPRuleSet" | |
| vendor_name = "AWS" | |
| } | |
| } | |
| visibility_config { | |
| cloudwatch_metrics_enabled = true | |
| metric_name = "AWSManagedRulesPHPRuleSet" | |
| sampled_requests_enabled = false | |
| } | |
| } | |
| rule { | |
| name = "AWSManagedRulesSQLiRuleSet" | |
| priority = 1005 | |
| override_action { | |
| none {} | |
| } | |
| statement { | |
| managed_rule_group_statement { | |
| name = "AWSManagedRulesSQLiRuleSet" | |
| vendor_name = "AWS" | |
| excluded_rule { | |
| name = "SQLi_BODY" | |
| } | |
| excluded_rule { | |
| name = "SQLi_COOKIE" | |
| } | |
| } | |
| } | |
| visibility_config { | |
| cloudwatch_metrics_enabled = true | |
| metric_name = "AWSManagedRulesSQLiRuleSet" | |
| sampled_requests_enabled = false | |
| } | |
| } | |
| rule { | |
| name = "AWSManagedRulesKnownBadInputsRuleSet" | |
| priority = 1006 | |
| override_action { | |
| none {} | |
| } | |
| statement { | |
| managed_rule_group_statement { | |
| name = "AWSManagedRulesKnownBadInputsRuleSet" | |
| vendor_name = "AWS" | |
| } | |
| } | |
| visibility_config { | |
| cloudwatch_metrics_enabled = true | |
| metric_name = "AWSManagedRulesKnownBadInputsRuleSet" | |
| sampled_requests_enabled = false | |
| } | |
| } | |
| rule { | |
| name = "PageViewCountRule" | |
| priority = 1101 | |
| action { | |
| count {} | |
| } | |
| statement { | |
| byte_match_statement { | |
| positional_constraint = "ENDS_WITH" | |
| search_string = "/" | |
| field_to_match { | |
| uri_path {} | |
| } | |
| text_transformation { | |
| priority = 0 | |
| type = "NONE" | |
| } | |
| } | |
| } | |
| visibility_config { | |
| cloudwatch_metrics_enabled = true | |
| metric_name = "PageViewCount" | |
| sampled_requests_enabled = false | |
| } | |
| } | |
| rule { | |
| name = "PageViewCountAdminRuleGroup" | |
| priority = 1102 | |
| action { | |
| count {} | |
| } | |
| statement { | |
| byte_match_statement { | |
| positional_constraint = "CONTAINS" | |
| search_string = ".php" | |
| field_to_match { | |
| uri_path {} | |
| } | |
| text_transformation { | |
| priority = 0 | |
| type = "NONE" | |
| } | |
| } | |
| } | |
| visibility_config { | |
| cloudwatch_metrics_enabled = true | |
| metric_name = "PageViewCountAdmin" | |
| sampled_requests_enabled = false | |
| } | |
| } | |
| visibility_config { | |
| cloudwatch_metrics_enabled = true | |
| metric_name = local.waf_web_acl_metric_name | |
| sampled_requests_enabled = false | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment