From 9fbb9ac20755be75403b3e53c4f34cbc90eef7f1 Mon Sep 17 00:00:00 2001 From: Marcin Cuber Date: Fri, 27 Mar 2020 15:33:59 +0000 Subject: [PATCH] Feature/exclude rules support (#2) * Add support to allow exclustion of rules for each set of rules * update docs * fix template --- README.md | 65 ++++++++++++++++++------ cfm/waf.yaml | 114 +++++++++++++++++++++++++++++++++++++----- examples/core/main.tf | 2 + main.tf | 12 +++++ variables.tf | 55 ++++++++++++++++++++ 5 files changed, 220 insertions(+), 28 deletions(-) diff --git a/README.md b/README.md index 089e6a7..fb55f2d 100644 --- a/README.md +++ b/README.md @@ -42,25 +42,58 @@ Module is to be used with Terraform > 0.12. Module managed by [Marcin Cuber](https://github.com/marcincuber) [LinkedIn](https://www.linkedin.com/in/marcincuber/). +## Providers + +| Name | Version | +|------|---------| +| aws | n/a | + ## Inputs | Name | Description | Type | Default | Required | -|------|-------------|:----:|:-----:|:-----:| -| alb\_arn | Application Load Balancer ARN | string | `""` | no | -| enable\_AdminProtectionRuleSet | | bool | `"false"` | no | -| enable\_AmazonIpReputationList | | bool | `"false"` | no | -| enable\_AnonymousIpList | | bool | `"false"` | no | -| enable\_CommonRuleSet | | bool | `"false"` | no | -| enable\_KnownBadInputsRuleSet | | bool | `"false"` | no | -| enable\_LinuxRuleSet | | bool | `"false"` | no | -| enable\_PHPRuleSet | | bool | `"false"` | no | -| enable\_SQLiRuleSet | | bool | `"false"` | no | -| enable\_UnixRuleSet | | bool | `"false"` | no | -| enable\_WindowsRuleSet | | bool | `"false"` | no | -| enable\_WordPressRuleSet | | bool | `"false"` | no | -| enabled | Whether to create the resources. Set to `false` to prevent the module from creating any resources | bool | `"true"` | no | -| name\_prefix | Name prefix used to create resources. | string | n/a | yes | -| tags | A map of tags \(key-value pairs\) passed to resources. | map(string) | `{}` | no | +|------|-------------|------|---------|:-----:| +| AdminProtectionRuleSetExcludedRules | n/a | `string` | `""` | no | +| AmazonIpReputationListExcludedRules | n/a | `string` | `""` | no | +| CommonRuleSetExcludedRules | n/a | `string` | `""` | no | +| KnownBadInputsRuleSetExcludedRules | n/a | `string` | `""` | no | +| LinuxRuleSetExcludedRules | n/a | `string` | `""` | no | +| PHPRuleSetExcludedRules | n/a | `string` | `""` | no | +| RulesAnonymousIpListExcludedRules | n/a | `string` | `""` | no | +| SQLiRuleSetExcludedRules | n/a | `string` | `""` | no | +| UnixRuleSetExcludedRules | n/a | `string` | `""` | no | +| WindowsRuleSetExcludedRules | n/a | `string` | `""` | no | +| WordPressRuleSetExcludedRules | n/a | `string` | `""` | no | +| alb\_arn | Application Load Balancer ARN | `string` | `""` | no | +| enable\_AdminProtectionRuleSet | n/a | `bool` | `false` | no | +| enable\_AmazonIpReputationList | n/a | `bool` | `false` | no | +| enable\_AnonymousIpList | n/a | `bool` | `false` | no | +| enable\_CommonRuleSet | n/a | `bool` | `false` | no | +| enable\_DefaultActionAllow | n/a | `bool` | `true` | no | +| enable\_KnownBadInputsRuleSet | n/a | `bool` | `false` | no | +| enable\_LinuxRuleSet | n/a | `bool` | `false` | no | +| enable\_OverrideActionCountAdminProtectionRuleSet | n/a | `bool` | `true` | no | +| enable\_OverrideActionCountAmazonIpReputationList | n/a | `bool` | `true` | no | +| enable\_OverrideActionCountAnonymousIpList | n/a | `bool` | `true` | no | +| enable\_OverrideActionCountCommonRuleSet | n/a | `bool` | `true` | no | +| enable\_OverrideActionCountKnownBadInputsRuleSet | n/a | `bool` | `true` | no | +| enable\_OverrideActionCountLinuxRuleSet | n/a | `bool` | `true` | no | +| enable\_OverrideActionCountPHPRuleSet | n/a | `bool` | `true` | no | +| enable\_OverrideActionCountSQLiRuleSet | n/a | `bool` | `true` | no | +| enable\_OverrideActionCountUnixRuleSet | n/a | `bool` | `true` | no | +| enable\_OverrideActionCountWindowsRuleSet | n/a | `bool` | `true` | no | +| enable\_OverrideActionCountWordPressRuleSet | n/a | `bool` | `true` | no | +| enable\_PHPRuleSet | n/a | `bool` | `false` | no | +| enable\_SQLiRuleSet | n/a | `bool` | `false` | no | +| enable\_UnixRuleSet | n/a | `bool` | `false` | no | +| enable\_WindowsRuleSet | n/a | `bool` | `false` | no | +| enable\_WordPressRuleSet | n/a | `bool` | `false` | no | +| enabled | Whether to create the resources. Set to `false` to prevent the module from creating any resources | `bool` | `true` | no | +| name\_prefix | Name prefix used to create resources. | `string` | n/a | yes | +| tags | A map of tags (key-value pairs) passed to resources. | `map(string)` | `{}` | no | + +## Outputs + +No output. diff --git a/cfm/waf.yaml b/cfm/waf.yaml index 012f803..f25d440 100644 --- a/cfm/waf.yaml +++ b/cfm/waf.yaml @@ -73,7 +73,7 @@ Parameters: - "yes" - "no" Default: "no" - + DefaultActionAllowEnabled: Type: String AllowedValues: @@ -148,6 +148,40 @@ Parameters: - "no" Default: "yes" + CommonRuleSetExcludedRules: + Type: String + Default: "" + AdminProtectionRuleSetExcludedRules: + Type: String + Default: "" + KnownBadInputsRuleSetExcludedRules: + Type: String + Default: "" + SQLiRuleSetExcludedRules: + Type: String + Default: "" + LinuxRuleSetExcludedRules: + Type: String + Default: "" + UnixRuleSetExcludedRules: + Type: String + Default: "" + WindowsRuleSetExcludedRules: + Type: String + Default: "" + PHPRuleSetExcludedRules: + Type: String + Default: "" + WordPressRuleSetExcludedRules: + Type: String + Default: "" + AmazonIpReputationListExcludedRules: + Type: String + Default: "" + RulesAnonymousIpListExcludedRules: + Type: String + Default: "" + Conditions: IsAWSManagedRulesCommonRuleSetEnabled: !Equals [ !Ref AWSManagedRulesCommonRuleSetEnabled , "yes" ] IsAWSManagedRulesAdminProtectionRuleSetEnabled: !Equals [ !Ref AWSManagedRulesAdminProtectionRuleSetEnabled , "yes" ] @@ -175,6 +209,18 @@ Conditions: IsOverrideActionCountAmazonIpReputationListEnabled: !Equals [ !Ref OverrideActionCountAmazonIpReputationListEnabled, "yes" ] IsOverrideActionCountAnonymousIpListEnabled: !Equals [ !Ref OverrideActionCountAnonymousIpListEnabled, "yes" ] + IsCommonRuleSetExcludedRules: !Equals [ !Ref CommonRuleSetExcludedRules, "" ] + IsAdminProtectionRuleSetExcludedRules: !Equals [ !Ref AdminProtectionRuleSetExcludedRules, "" ] + IsKnownBadInputsRuleSetExcludedRules: !Equals [ !Ref KnownBadInputsRuleSetExcludedRules, "" ] + IsSQLiRuleSetExcludedRules: !Equals [ !Ref SQLiRuleSetExcludedRules, "" ] + IsLinuxRuleSetExcludedRules: !Equals [ !Ref LinuxRuleSetExcludedRules, "" ] + IsUnixRuleSetExcludedRules: !Equals [ !Ref UnixRuleSetExcludedRules, "" ] + IsWindowsRuleSetExcludedRules: !Equals [ !Ref WindowsRuleSetExcludedRules, "" ] + IsPHPRuleSetExcludedRules: !Equals [ !Ref PHPRuleSetExcludedRules, "" ] + IsWordPressRuleSetExcludedRules: !Equals [ !Ref WordPressRuleSetExcludedRules, "" ] + IsAmazonIpReputationListExcludedRules: !Equals [ !Ref AmazonIpReputationListExcludedRules, "" ] + IsRulesAnonymousIpListExcludedRules: !Equals [ !Ref RulesAnonymousIpListExcludedRules, "" ] + Resources: WAFWebACL: Type: AWS::WAFv2::WebACL @@ -209,7 +255,11 @@ Resources: ManagedRuleGroupStatement: VendorName: AWS Name: AWSManagedRulesCommonRuleSet - ExcludedRules: [] + ExcludedRules: + 'Fn::If': + - IsCommonRuleSetExcludedRules + - [] + - 'Fn::Split': [ ",", !Ref CommonRuleSetExcludedRules ] - !Ref 'AWS::NoValue' - Fn::If: - IsAWSManagedRulesAdminProtectionRuleSetEnabled @@ -229,7 +279,11 @@ Resources: ManagedRuleGroupStatement: VendorName: AWS Name: AWSManagedRulesAdminProtectionRuleSet - ExcludedRules: [] + ExcludedRules: + 'Fn::If': + - IsAdminProtectionRuleSetExcludedRules + - [] + - 'Fn::Split': [ ",", !Ref AdminProtectionRuleSetExcludedRules ] - !Ref 'AWS::NoValue' - Fn::If: - IsAWSManagedRulesKnownBadInputsRuleSetEnabled @@ -249,7 +303,11 @@ Resources: ManagedRuleGroupStatement: VendorName: AWS Name: AWSManagedRulesKnownBadInputsRuleSet - ExcludedRules: [] + ExcludedRules: + 'Fn::If': + - IsKnownBadInputsRuleSetExcludedRules + - [] + - 'Fn::Split': [ ",", !Ref KnownBadInputsRuleSetExcludedRules ] - !Ref 'AWS::NoValue' - Fn::If: - IsAWSManagedRulesSQLiRuleSetEnabled @@ -269,7 +327,11 @@ Resources: ManagedRuleGroupStatement: VendorName: AWS Name: AWSManagedRulesSQLiRuleSet - ExcludedRules: [] + ExcludedRules: + 'Fn::If': + - IsSQLiRuleSetExcludedRules + - [] + - 'Fn::Split': [ ",", !Ref SQLiRuleSetExcludedRules ] - !Ref 'AWS::NoValue' - Fn::If: - IsAWSManagedRulesLinuxRuleSetEnabled @@ -289,7 +351,11 @@ Resources: ManagedRuleGroupStatement: VendorName: AWS Name: AWSManagedRulesLinuxRuleSet - ExcludedRules: [] + ExcludedRules: + 'Fn::If': + - IsLinuxRuleSetExcludedRules + - [] + - 'Fn::Split': [ ",", !Ref LinuxRuleSetExcludedRules ] - !Ref 'AWS::NoValue' - Fn::If: - IsAWSManagedRulesUnixRuleSetEnabled @@ -309,7 +375,11 @@ Resources: ManagedRuleGroupStatement: VendorName: AWS Name: AWSManagedRulesUnixRuleSet - ExcludedRules: [] + ExcludedRules: + 'Fn::If': + - IsUnixRuleSetExcludedRules + - [] + - 'Fn::Split': [ ",", !Ref UnixRuleSetExcludedRules ] - !Ref 'AWS::NoValue' - Fn::If: - IsAWSManagedRulesWindowsRuleSetEnabled @@ -329,7 +399,11 @@ Resources: ManagedRuleGroupStatement: VendorName: AWS Name: AWSManagedRulesWindowsRuleSet - ExcludedRules: [] + ExcludedRules: + 'Fn::If': + - IsWindowsRuleSetExcludedRules + - [] + - 'Fn::Split': [ ",", !Ref WindowsRuleSetExcludedRules ] - !Ref 'AWS::NoValue' - Fn::If: - IsAWSManagedRulesPHPRuleSetEnabled @@ -349,7 +423,11 @@ Resources: ManagedRuleGroupStatement: VendorName: AWS Name: AWSManagedRulesPHPRuleSet - ExcludedRules: [] + ExcludedRules: + 'Fn::If': + - IsPHPRuleSetExcludedRules + - [] + - 'Fn::Split': [ ",", !Ref PHPRuleSetExcludedRules ] - !Ref 'AWS::NoValue' - Fn::If: - IsAWSManagedRulesWordPressRuleSetEnabled @@ -369,7 +447,11 @@ Resources: ManagedRuleGroupStatement: VendorName: AWS Name: AWSManagedRulesWordPressRuleSet - ExcludedRules: [] + ExcludedRules: + 'Fn::If': + - IsWordPressRuleSetExcludedRules + - [] + - 'Fn::Split': [ ",", !Ref WordPressRuleSetExcludedRules ] - !Ref 'AWS::NoValue' - Fn::If: - IsAWSManagedRulesAmazonIpReputationListEnabled @@ -389,7 +471,11 @@ Resources: ManagedRuleGroupStatement: VendorName: AWS Name: AWSManagedRulesAmazonIpReputationList - ExcludedRules: [] + ExcludedRules: + 'Fn::If': + - IsAmazonIpReputationListExcludedRules + - [] + - 'Fn::Split': [ ",", !Ref AmazonIpReputationListExcludedRules ] - !Ref 'AWS::NoValue' - Fn::If: - IsAWSManagedRulesAnonymousIpListEnabled @@ -409,7 +495,11 @@ Resources: ManagedRuleGroupStatement: VendorName: AWS Name: AWSManagedRulesAnonymousIpList - ExcludedRules: [] + ExcludedRules: + 'Fn::If': + - IsRulesAnonymousIpListExcludedRules + - [] + - 'Fn::Split': [ ",", !Ref RulesAnonymousIpListExcludedRules ] - !Ref 'AWS::NoValue' WAFWebACLAssociation: diff --git a/examples/core/main.tf b/examples/core/main.tf index 786c97b..2af867f 100644 --- a/examples/core/main.tf +++ b/examples/core/main.tf @@ -119,4 +119,6 @@ module "waf" { enable_OverrideActionCountSQLiRuleSet = false enable_OverrideActionCountKnownBadInputsRuleSet = false enable_OverrideActionCountUnixRuleSet = false + + CommonRuleSetExcludedRules = "NoUserAgent_HEADER,UserAgent_BadBots_HEADER,SizeRestrictions_QUERYSTRING" } diff --git a/main.tf b/main.tf index bbee5a0..b55aaf6 100644 --- a/main.tf +++ b/main.tf @@ -35,6 +35,18 @@ resource "aws_cloudformation_stack" "waf" { OverrideActionCountWordPressRuleSetEnabled = var.enable_OverrideActionCountWordPressRuleSet ? "yes" : "no" OverrideActionCountAmazonIpReputationListEnabled = var.enable_OverrideActionCountAmazonIpReputationList ? "yes" : "no" OverrideActionCountAnonymousIpListEnabled = var.enable_OverrideActionCountAnonymousIpList ? "yes" : "no" + + CommonRuleSetExcludedRules = var.CommonRuleSetExcludedRules != "" ? var.CommonRuleSetExcludedRules : null + AdminProtectionRuleSetExcludedRules = var.AdminProtectionRuleSetExcludedRules != "" ? var.AdminProtectionRuleSetExcludedRules : null + KnownBadInputsRuleSetExcludedRules = var.KnownBadInputsRuleSetExcludedRules != "" ? var.KnownBadInputsRuleSetExcludedRules : null + SQLiRuleSetExcludedRules = var.SQLiRuleSetExcludedRules != "" ? var.SQLiRuleSetExcludedRules : null + LinuxRuleSetExcludedRules = var.LinuxRuleSetExcludedRules != "" ? var.LinuxRuleSetExcludedRules : null + UnixRuleSetExcludedRules = var.UnixRuleSetExcludedRules != "" ? var.UnixRuleSetExcludedRules : null + WindowsRuleSetExcludedRules = var.WindowsRuleSetExcludedRules != "" ? var.WindowsRuleSetExcludedRules : null + PHPRuleSetExcludedRules = var.PHPRuleSetExcludedRules != "" ? var.PHPRuleSetExcludedRules : null + WordPressRuleSetExcludedRules = var.WordPressRuleSetExcludedRules != "" ? var.WordPressRuleSetExcludedRules : null + AmazonIpReputationListExcludedRules = var.AmazonIpReputationListExcludedRules != "" ? var.AmazonIpReputationListExcludedRules : null + RulesAnonymousIpListExcludedRules = var.RulesAnonymousIpListExcludedRules != "" ? var.RulesAnonymousIpListExcludedRules : null } tags = var.tags diff --git a/variables.tf b/variables.tf index 07c79bc..061776d 100644 --- a/variables.tf +++ b/variables.tf @@ -135,3 +135,58 @@ variable "enable_OverrideActionCountAnonymousIpList" { type = bool default = true } + +variable "CommonRuleSetExcludedRules" { + type = string + default = "" +} + +variable "AdminProtectionRuleSetExcludedRules" { + type = string + default = "" +} + +variable "KnownBadInputsRuleSetExcludedRules" { + type = string + default = "" +} + +variable "SQLiRuleSetExcludedRules" { + type = string + default = "" +} + +variable "LinuxRuleSetExcludedRules" { + type = string + default = "" +} + +variable "UnixRuleSetExcludedRules" { + type = string + default = "" +} + +variable "WindowsRuleSetExcludedRules" { + type = string + default = "" +} + +variable "PHPRuleSetExcludedRules" { + type = string + default = "" +} + +variable "WordPressRuleSetExcludedRules" { + type = string + default = "" +} + +variable "AmazonIpReputationListExcludedRules" { + type = string + default = "" +} + +variable "RulesAnonymousIpListExcludedRules" { + type = string + default = "" +}