-
-
Save sivanovhm/ac63983baebdff2d577f4e760b0c5260 to your computer and use it in GitHub Desktop.
aws_wafv2_web_acl config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
resource "aws_wafv2_web_acl" "cloudfront" { | |
provider = aws.us-east-1 | |
count = var.create_cloudfront == "yes" ? 1 : 0 | |
name = var.name | |
scope = "CLOUDFRONT" | |
tags = { | |
Stack = var.name | |
} | |
default_action { | |
allow {} | |
} | |
dynamic "rule" { | |
for_each = var.wafv2_web_acl_extra_rules | |
content { | |
name = rule.value["name"] | |
override_action { | |
none {} | |
} | |
priority = rule.value["priority"] | |
statement { | |
rule_group_reference_statement { | |
arn = rule.value["rule_group_arn"] | |
} | |
} | |
visibility_config { | |
cloudwatch_metrics_enabled = true | |
metric_name = rule.value["name"] | |
sampled_requests_enabled = false | |
} | |
} | |
} | |
rule { | |
name = "AWSManagedRulesAmazonIpReputationList" | |
priority = 1001 | |
override_action { | |
none {} | |
} | |
statement { | |
managed_rule_group_statement { | |
name = "AWSManagedRulesAmazonIpReputationList" | |
vendor_name = "AWS" | |
} | |
} | |
visibility_config { | |
cloudwatch_metrics_enabled = true | |
metric_name = "AWSManagedRulesAmazonIpReputationList" | |
sampled_requests_enabled = false | |
} | |
} | |
rule { | |
name = "CommonRules" | |
priority = 1002 | |
override_action { | |
none {} | |
} | |
statement { | |
rule_group_reference_statement { | |
arn = data.aws_wafv2_rule_group.common_rules.arn | |
} | |
} | |
visibility_config { | |
cloudwatch_metrics_enabled = true | |
metric_name = "CommonRules" | |
sampled_requests_enabled = false | |
} | |
} | |
rule { | |
name = "HTTPFloodRateLimitingRule" | |
priority = 1003 | |
action { | |
block {} | |
} | |
statement { | |
rate_based_statement { | |
aggregate_key_type = "IP" | |
limit = var.wafv2_http_floodrate_limit | |
scope_down_statement { | |
and_statement { | |
dynamic "statement" { | |
for_each = var.wafv2_http_floodrate_whitelisted_ip_set_arn != "" ? [1] : [] | |
content { | |
not_statement { | |
statement { | |
ip_set_reference_statement { | |
arn = var.wafv2_http_floodrate_whitelisted_ip_set_arn | |
} | |
} | |
} | |
} | |
} | |
dynamic "statement" { | |
for_each = var.wafv2_http_floodrate_whitelisted_uri != "" || var.wafv2_http_floodrate_whitelisted_uri_positional_constraint != "" ? [1] : [] | |
content { | |
not_statement { | |
statement { | |
byte_match_statement { | |
positional_constraint = var.wafv2_http_floodrate_whitelisted_uri_positional_constraint | |
search_string = var.wafv2_http_floodrate_whitelisted_uri | |
field_to_match { | |
uri_path {} | |
} | |
text_transformation { | |
priority = 0 | |
type = "LOWERCASE" | |
} | |
} | |
} | |
} | |
} | |
} | |
statement { | |
not_statement { | |
statement { | |
byte_match_statement { | |
positional_constraint = "CONTAINS" | |
search_string = "wordpress_logged_in_" | |
field_to_match { | |
single_header { | |
name = "cookie" | |
} | |
} | |
text_transformation { | |
priority = 0 | |
type = "LOWERCASE" | |
} | |
} | |
} | |
} | |
} | |
statement { | |
not_statement { | |
statement { | |
byte_match_statement { | |
positional_constraint = "CONTAINS" | |
search_string = "wp-admin/" | |
field_to_match { | |
uri_path {} | |
} | |
text_transformation { | |
priority = 0 | |
type = "LOWERCASE" | |
} | |
} | |
} | |
} | |
} | |
} | |
} | |
} | |
} | |
visibility_config { | |
cloudwatch_metrics_enabled = true | |
metric_name = "HTTPFloodRateLimitingRule" | |
sampled_requests_enabled = false | |
} | |
} | |
rule { | |
name = "AWSManagedRulesPHPRuleSet" | |
priority = 1004 | |
override_action { | |
none {} | |
} | |
statement { | |
managed_rule_group_statement { | |
name = "AWSManagedRulesPHPRuleSet" | |
vendor_name = "AWS" | |
} | |
} | |
visibility_config { | |
cloudwatch_metrics_enabled = true | |
metric_name = "AWSManagedRulesPHPRuleSet" | |
sampled_requests_enabled = false | |
} | |
} | |
rule { | |
name = "AWSManagedRulesSQLiRuleSet" | |
priority = 1005 | |
override_action { | |
none {} | |
} | |
statement { | |
managed_rule_group_statement { | |
name = "AWSManagedRulesSQLiRuleSet" | |
vendor_name = "AWS" | |
excluded_rule { | |
name = "SQLi_BODY" | |
} | |
excluded_rule { | |
name = "SQLi_COOKIE" | |
} | |
} | |
} | |
visibility_config { | |
cloudwatch_metrics_enabled = true | |
metric_name = "AWSManagedRulesSQLiRuleSet" | |
sampled_requests_enabled = false | |
} | |
} | |
rule { | |
name = "AWSManagedRulesKnownBadInputsRuleSet" | |
priority = 1006 | |
override_action { | |
none {} | |
} | |
statement { | |
managed_rule_group_statement { | |
name = "AWSManagedRulesKnownBadInputsRuleSet" | |
vendor_name = "AWS" | |
} | |
} | |
visibility_config { | |
cloudwatch_metrics_enabled = true | |
metric_name = "AWSManagedRulesKnownBadInputsRuleSet" | |
sampled_requests_enabled = false | |
} | |
} | |
rule { | |
name = "PageViewCountRule" | |
priority = 1101 | |
action { | |
count {} | |
} | |
statement { | |
byte_match_statement { | |
positional_constraint = "ENDS_WITH" | |
search_string = "/" | |
field_to_match { | |
uri_path {} | |
} | |
text_transformation { | |
priority = 0 | |
type = "NONE" | |
} | |
} | |
} | |
visibility_config { | |
cloudwatch_metrics_enabled = true | |
metric_name = "PageViewCount" | |
sampled_requests_enabled = false | |
} | |
} | |
rule { | |
name = "PageViewCountAdminRuleGroup" | |
priority = 1102 | |
action { | |
count {} | |
} | |
statement { | |
byte_match_statement { | |
positional_constraint = "CONTAINS" | |
search_string = ".php" | |
field_to_match { | |
uri_path {} | |
} | |
text_transformation { | |
priority = 0 | |
type = "NONE" | |
} | |
} | |
} | |
visibility_config { | |
cloudwatch_metrics_enabled = true | |
metric_name = "PageViewCountAdmin" | |
sampled_requests_enabled = false | |
} | |
} | |
visibility_config { | |
cloudwatch_metrics_enabled = true | |
metric_name = local.waf_web_acl_metric_name | |
sampled_requests_enabled = false | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment