Skip to content

Commit

Permalink
Feature/exclude rules support (#2)
Browse files Browse the repository at this point in the history 
* Add support to allow exclustion of rules for each set of rules

* update docs

* fix template
  • Loading branch information
@marcincuber
marcincuber authored Mar 27, 2020
1 parent c0348ff commit 9fbb9ac
Show file tree
Hide file tree
Showing 5 changed files with 220 additions and 28 deletions.
65 changes: 49 additions & 16 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,25 +42,58 @@ Module is to be used with Terraform > 0.12.
Module managed by [Marcin Cuber](https://github.com/marcincuber) [LinkedIn](https://www.linkedin.com/in/marcincuber/).

<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Providers

| Name | Version |
|------|---------|
| aws | n/a |

## Inputs

| Name | Description | Type | Default | Required |
|------|-------------|:----:|:-----:|:-----:|
| alb\_arn | Application Load Balancer ARN | string | `""` | no |
| enable\_AdminProtectionRuleSet | | bool | `"false"` | no |
| enable\_AmazonIpReputationList | | bool | `"false"` | no |
| enable\_AnonymousIpList | | bool | `"false"` | no |
| enable\_CommonRuleSet | | bool | `"false"` | no |
| enable\_KnownBadInputsRuleSet | | bool | `"false"` | no |
| enable\_LinuxRuleSet | | bool | `"false"` | no |
| enable\_PHPRuleSet | | bool | `"false"` | no |
| enable\_SQLiRuleSet | | bool | `"false"` | no |
| enable\_UnixRuleSet | | bool | `"false"` | no |
| enable\_WindowsRuleSet | | bool | `"false"` | no |
| enable\_WordPressRuleSet | | bool | `"false"` | no |
| enabled | Whether to create the resources. Set to `false` to prevent the module from creating any resources | bool | `"true"` | no |
| name\_prefix | Name prefix used to create resources. | string | n/a | yes |
| tags | A map of tags \(key-value pairs\) passed to resources. | map(string) | `{}` | no |
|------|-------------|------|---------|:-----:|
| AdminProtectionRuleSetExcludedRules | n/a | `string` | `""` | no |
| AmazonIpReputationListExcludedRules | n/a | `string` | `""` | no |
| CommonRuleSetExcludedRules | n/a | `string` | `""` | no |
| KnownBadInputsRuleSetExcludedRules | n/a | `string` | `""` | no |
| LinuxRuleSetExcludedRules | n/a | `string` | `""` | no |
| PHPRuleSetExcludedRules | n/a | `string` | `""` | no |
| RulesAnonymousIpListExcludedRules | n/a | `string` | `""` | no |
| SQLiRuleSetExcludedRules | n/a | `string` | `""` | no |
| UnixRuleSetExcludedRules | n/a | `string` | `""` | no |
| WindowsRuleSetExcludedRules | n/a | `string` | `""` | no |
| WordPressRuleSetExcludedRules | n/a | `string` | `""` | no |
| alb\_arn | Application Load Balancer ARN | `string` | `""` | no |
| enable\_AdminProtectionRuleSet | n/a | `bool` | `false` | no |
| enable\_AmazonIpReputationList | n/a | `bool` | `false` | no |
| enable\_AnonymousIpList | n/a | `bool` | `false` | no |
| enable\_CommonRuleSet | n/a | `bool` | `false` | no |
| enable\_DefaultActionAllow | n/a | `bool` | `true` | no |
| enable\_KnownBadInputsRuleSet | n/a | `bool` | `false` | no |
| enable\_LinuxRuleSet | n/a | `bool` | `false` | no |
| enable\_OverrideActionCountAdminProtectionRuleSet | n/a | `bool` | `true` | no |
| enable\_OverrideActionCountAmazonIpReputationList | n/a | `bool` | `true` | no |
| enable\_OverrideActionCountAnonymousIpList | n/a | `bool` | `true` | no |
| enable\_OverrideActionCountCommonRuleSet | n/a | `bool` | `true` | no |
| enable\_OverrideActionCountKnownBadInputsRuleSet | n/a | `bool` | `true` | no |
| enable\_OverrideActionCountLinuxRuleSet | n/a | `bool` | `true` | no |
| enable\_OverrideActionCountPHPRuleSet | n/a | `bool` | `true` | no |
| enable\_OverrideActionCountSQLiRuleSet | n/a | `bool` | `true` | no |
| enable\_OverrideActionCountUnixRuleSet | n/a | `bool` | `true` | no |
| enable\_OverrideActionCountWindowsRuleSet | n/a | `bool` | `true` | no |
| enable\_OverrideActionCountWordPressRuleSet | n/a | `bool` | `true` | no |
| enable\_PHPRuleSet | n/a | `bool` | `false` | no |
| enable\_SQLiRuleSet | n/a | `bool` | `false` | no |
| enable\_UnixRuleSet | n/a | `bool` | `false` | no |
| enable\_WindowsRuleSet | n/a | `bool` | `false` | no |
| enable\_WordPressRuleSet | n/a | `bool` | `false` | no |
| enabled | Whether to create the resources. Set to `false` to prevent the module from creating any resources | `bool` | `true` | no |
| name\_prefix | Name prefix used to create resources. | `string` | n/a | yes |
| tags | A map of tags (key-value pairs) passed to resources. | `map(string)` | `{}` | no |

## Outputs

No output.

<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

Expand Down
114 changes: 102 additions & 12 deletions cfm/waf.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,7 @@ Parameters:
- "yes"
- "no"
Default: "no"

DefaultActionAllowEnabled:
Type: String
AllowedValues:
Expand Down Expand Up @@ -148,6 +148,40 @@ Parameters:
- "no"
Default: "yes"

CommonRuleSetExcludedRules:
Type: String
Default: ""
AdminProtectionRuleSetExcludedRules:
Type: String
Default: ""
KnownBadInputsRuleSetExcludedRules:
Type: String
Default: ""
SQLiRuleSetExcludedRules:
Type: String
Default: ""
LinuxRuleSetExcludedRules:
Type: String
Default: ""
UnixRuleSetExcludedRules:
Type: String
Default: ""
WindowsRuleSetExcludedRules:
Type: String
Default: ""
PHPRuleSetExcludedRules:
Type: String
Default: ""
WordPressRuleSetExcludedRules:
Type: String
Default: ""
AmazonIpReputationListExcludedRules:
Type: String
Default: ""
RulesAnonymousIpListExcludedRules:
Type: String
Default: ""

Conditions:
IsAWSManagedRulesCommonRuleSetEnabled: !Equals [ !Ref AWSManagedRulesCommonRuleSetEnabled , "yes" ]
IsAWSManagedRulesAdminProtectionRuleSetEnabled: !Equals [ !Ref AWSManagedRulesAdminProtectionRuleSetEnabled , "yes" ]
Expand Down Expand Up @@ -175,6 +209,18 @@ Conditions:
IsOverrideActionCountAmazonIpReputationListEnabled: !Equals [ !Ref OverrideActionCountAmazonIpReputationListEnabled, "yes" ]
IsOverrideActionCountAnonymousIpListEnabled: !Equals [ !Ref OverrideActionCountAnonymousIpListEnabled, "yes" ]

IsCommonRuleSetExcludedRules: !Equals [ !Ref CommonRuleSetExcludedRules, "" ]
IsAdminProtectionRuleSetExcludedRules: !Equals [ !Ref AdminProtectionRuleSetExcludedRules, "" ]
IsKnownBadInputsRuleSetExcludedRules: !Equals [ !Ref KnownBadInputsRuleSetExcludedRules, "" ]
IsSQLiRuleSetExcludedRules: !Equals [ !Ref SQLiRuleSetExcludedRules, "" ]
IsLinuxRuleSetExcludedRules: !Equals [ !Ref LinuxRuleSetExcludedRules, "" ]
IsUnixRuleSetExcludedRules: !Equals [ !Ref UnixRuleSetExcludedRules, "" ]
IsWindowsRuleSetExcludedRules: !Equals [ !Ref WindowsRuleSetExcludedRules, "" ]
IsPHPRuleSetExcludedRules: !Equals [ !Ref PHPRuleSetExcludedRules, "" ]
IsWordPressRuleSetExcludedRules: !Equals [ !Ref WordPressRuleSetExcludedRules, "" ]
IsAmazonIpReputationListExcludedRules: !Equals [ !Ref AmazonIpReputationListExcludedRules, "" ]
IsRulesAnonymousIpListExcludedRules: !Equals [ !Ref RulesAnonymousIpListExcludedRules, "" ]

Resources:
WAFWebACL:
Type: AWS::WAFv2::WebACL
Expand Down Expand Up @@ -209,7 +255,11 @@ Resources:
ManagedRuleGroupStatement:
VendorName: AWS
Name: AWSManagedRulesCommonRuleSet
ExcludedRules: []
ExcludedRules:
'Fn::If':
- IsCommonRuleSetExcludedRules
- []
- 'Fn::Split': [ ",", !Ref CommonRuleSetExcludedRules ]
- !Ref 'AWS::NoValue'
- Fn::If:
- IsAWSManagedRulesAdminProtectionRuleSetEnabled
Expand All @@ -229,7 +279,11 @@ Resources:
ManagedRuleGroupStatement:
VendorName: AWS
Name: AWSManagedRulesAdminProtectionRuleSet
ExcludedRules: []
ExcludedRules:
'Fn::If':
- IsAdminProtectionRuleSetExcludedRules
- []
- 'Fn::Split': [ ",", !Ref AdminProtectionRuleSetExcludedRules ]
- !Ref 'AWS::NoValue'
- Fn::If:
- IsAWSManagedRulesKnownBadInputsRuleSetEnabled
Expand All @@ -249,7 +303,11 @@ Resources:
ManagedRuleGroupStatement:
VendorName: AWS
Name: AWSManagedRulesKnownBadInputsRuleSet
ExcludedRules: []
ExcludedRules:
'Fn::If':
- IsKnownBadInputsRuleSetExcludedRules
- []
- 'Fn::Split': [ ",", !Ref KnownBadInputsRuleSetExcludedRules ]
- !Ref 'AWS::NoValue'
- Fn::If:
- IsAWSManagedRulesSQLiRuleSetEnabled
Expand All @@ -269,7 +327,11 @@ Resources:
ManagedRuleGroupStatement:
VendorName: AWS
Name: AWSManagedRulesSQLiRuleSet
ExcludedRules: []
ExcludedRules:
'Fn::If':
- IsSQLiRuleSetExcludedRules
- []
- 'Fn::Split': [ ",", !Ref SQLiRuleSetExcludedRules ]
- !Ref 'AWS::NoValue'
- Fn::If:
- IsAWSManagedRulesLinuxRuleSetEnabled
Expand All @@ -289,7 +351,11 @@ Resources:
ManagedRuleGroupStatement:
VendorName: AWS
Name: AWSManagedRulesLinuxRuleSet
ExcludedRules: []
ExcludedRules:
'Fn::If':
- IsLinuxRuleSetExcludedRules
- []
- 'Fn::Split': [ ",", !Ref LinuxRuleSetExcludedRules ]
- !Ref 'AWS::NoValue'
- Fn::If:
- IsAWSManagedRulesUnixRuleSetEnabled
Expand All @@ -309,7 +375,11 @@ Resources:
ManagedRuleGroupStatement:
VendorName: AWS
Name: AWSManagedRulesUnixRuleSet
ExcludedRules: []
ExcludedRules:
'Fn::If':
- IsUnixRuleSetExcludedRules
- []
- 'Fn::Split': [ ",", !Ref UnixRuleSetExcludedRules ]
- !Ref 'AWS::NoValue'
- Fn::If:
- IsAWSManagedRulesWindowsRuleSetEnabled
Expand All @@ -329,7 +399,11 @@ Resources:
ManagedRuleGroupStatement:
VendorName: AWS
Name: AWSManagedRulesWindowsRuleSet
ExcludedRules: []
ExcludedRules:
'Fn::If':
- IsWindowsRuleSetExcludedRules
- []
- 'Fn::Split': [ ",", !Ref WindowsRuleSetExcludedRules ]
- !Ref 'AWS::NoValue'
- Fn::If:
- IsAWSManagedRulesPHPRuleSetEnabled
Expand All @@ -349,7 +423,11 @@ Resources:
ManagedRuleGroupStatement:
VendorName: AWS
Name: AWSManagedRulesPHPRuleSet
ExcludedRules: []
ExcludedRules:
'Fn::If':
- IsPHPRuleSetExcludedRules
- []
- 'Fn::Split': [ ",", !Ref PHPRuleSetExcludedRules ]
- !Ref 'AWS::NoValue'
- Fn::If:
- IsAWSManagedRulesWordPressRuleSetEnabled
Expand All @@ -369,7 +447,11 @@ Resources:
ManagedRuleGroupStatement:
VendorName: AWS
Name: AWSManagedRulesWordPressRuleSet
ExcludedRules: []
ExcludedRules:
'Fn::If':
- IsWordPressRuleSetExcludedRules
- []
- 'Fn::Split': [ ",", !Ref WordPressRuleSetExcludedRules ]
- !Ref 'AWS::NoValue'
- Fn::If:
- IsAWSManagedRulesAmazonIpReputationListEnabled
Expand All @@ -389,7 +471,11 @@ Resources:
ManagedRuleGroupStatement:
VendorName: AWS
Name: AWSManagedRulesAmazonIpReputationList
ExcludedRules: []
ExcludedRules:
'Fn::If':
- IsAmazonIpReputationListExcludedRules
- []
- 'Fn::Split': [ ",", !Ref AmazonIpReputationListExcludedRules ]
- !Ref 'AWS::NoValue'
- Fn::If:
- IsAWSManagedRulesAnonymousIpListEnabled
Expand All @@ -409,7 +495,11 @@ Resources:
ManagedRuleGroupStatement:
VendorName: AWS
Name: AWSManagedRulesAnonymousIpList
ExcludedRules: []
ExcludedRules:
'Fn::If':
- IsRulesAnonymousIpListExcludedRules
- []
- 'Fn::Split': [ ",", !Ref RulesAnonymousIpListExcludedRules ]
- !Ref 'AWS::NoValue'

WAFWebACLAssociation:
Expand Down
2 changes: 2 additions & 0 deletions examples/core/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -119,4 +119,6 @@ module "waf" {
enable_OverrideActionCountSQLiRuleSet = false
enable_OverrideActionCountKnownBadInputsRuleSet = false
enable_OverrideActionCountUnixRuleSet = false

CommonRuleSetExcludedRules = "NoUserAgent_HEADER,UserAgent_BadBots_HEADER,SizeRestrictions_QUERYSTRING"
}
12 changes: 12 additions & 0 deletions main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,18 @@ resource "aws_cloudformation_stack" "waf" {
OverrideActionCountWordPressRuleSetEnabled = var.enable_OverrideActionCountWordPressRuleSet ? "yes" : "no"
OverrideActionCountAmazonIpReputationListEnabled = var.enable_OverrideActionCountAmazonIpReputationList ? "yes" : "no"
OverrideActionCountAnonymousIpListEnabled = var.enable_OverrideActionCountAnonymousIpList ? "yes" : "no"

CommonRuleSetExcludedRules = var.CommonRuleSetExcludedRules != "" ? var.CommonRuleSetExcludedRules : null
AdminProtectionRuleSetExcludedRules = var.AdminProtectionRuleSetExcludedRules != "" ? var.AdminProtectionRuleSetExcludedRules : null
KnownBadInputsRuleSetExcludedRules = var.KnownBadInputsRuleSetExcludedRules != "" ? var.KnownBadInputsRuleSetExcludedRules : null
SQLiRuleSetExcludedRules = var.SQLiRuleSetExcludedRules != "" ? var.SQLiRuleSetExcludedRules : null
LinuxRuleSetExcludedRules = var.LinuxRuleSetExcludedRules != "" ? var.LinuxRuleSetExcludedRules : null
UnixRuleSetExcludedRules = var.UnixRuleSetExcludedRules != "" ? var.UnixRuleSetExcludedRules : null
WindowsRuleSetExcludedRules = var.WindowsRuleSetExcludedRules != "" ? var.WindowsRuleSetExcludedRules : null
PHPRuleSetExcludedRules = var.PHPRuleSetExcludedRules != "" ? var.PHPRuleSetExcludedRules : null
WordPressRuleSetExcludedRules = var.WordPressRuleSetExcludedRules != "" ? var.WordPressRuleSetExcludedRules : null
AmazonIpReputationListExcludedRules = var.AmazonIpReputationListExcludedRules != "" ? var.AmazonIpReputationListExcludedRules : null
RulesAnonymousIpListExcludedRules = var.RulesAnonymousIpListExcludedRules != "" ? var.RulesAnonymousIpListExcludedRules : null
}

tags = var.tags
Expand Down
55 changes: 55 additions & 0 deletions variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -135,3 +135,58 @@ variable "enable_OverrideActionCountAnonymousIpList" {
type = bool
default = true
}

variable "CommonRuleSetExcludedRules" {
type = string
default = ""
}

variable "AdminProtectionRuleSetExcludedRules" {
type = string
default = ""
}

variable "KnownBadInputsRuleSetExcludedRules" {
type = string
default = ""
}

variable "SQLiRuleSetExcludedRules" {
type = string
default = ""
}

variable "LinuxRuleSetExcludedRules" {
type = string
default = ""
}

variable "UnixRuleSetExcludedRules" {
type = string
default = ""
}

variable "WindowsRuleSetExcludedRules" {
type = string
default = ""
}

variable "PHPRuleSetExcludedRules" {
type = string
default = ""
}

variable "WordPressRuleSetExcludedRules" {
type = string
default = ""
}

variable "AmazonIpReputationListExcludedRules" {
type = string
default = ""
}

variable "RulesAnonymousIpListExcludedRules" {
type = string
default = ""
}

0 comments on commit 9fbb9ac

Please sign in to comment.