Skip to content

Commit

Permalink
Add support for enabling default actions per rule set (#1)
Browse files Browse the repository at this point in the history
  • Loading branch information
@marcincuber
marcincuber authored Mar 27, 2020
1 parent 24ca569 commit c0348ff
Show file tree
Hide file tree
Showing 4 changed files with 236 additions and 25 deletions.
170 changes: 147 additions & 23 deletions cfm/waf.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,80 @@ Parameters:
- "yes"
- "no"
Default: "no"

DefaultActionAllowEnabled:
Type: String
AllowedValues:
- "yes"
- "no"
Default: "yes"

OverrideActionCountCommonRuleSetEnabled:
Type: String
AllowedValues:
- "yes"
- "no"
Default: "yes"
OverrideActionCountAdminProtectionRuleSetEnabled:
Type: String
AllowedValues:
- "yes"
- "no"
Default: "yes"
OverrideActionCountKnownBadInputsRuleSetEnabled:
Type: String
AllowedValues:
- "yes"
- "no"
Default: "yes"
OverrideActionCountSQLiRuleSetEnabled:
Type: String
AllowedValues:
- "yes"
- "no"
Default: "yes"
OverrideActionCountLinuxRuleSetEnabled:
Type: String
AllowedValues:
- "yes"
- "no"
Default: "yes"
OverrideActionCountUnixRuleSetEnabled:
Type: String
AllowedValues:
- "yes"
- "no"
Default: "yes"
OverrideActionCountWindowsRuleSetEnabled:
Type: String
AllowedValues:
- "yes"
- "no"
Default: "yes"
OverrideActionCountPHPRuleSetEnabled:
Type: String
AllowedValues:
- "yes"
- "no"
Default: "yes"
OverrideActionCountWordPressRuleSetEnabled:
Type: String
AllowedValues:
- "yes"
- "no"
Default: "yes"
OverrideActionCountAmazonIpReputationListEnabled:
Type: String
AllowedValues:
- "yes"
- "no"
Default: "yes"
OverrideActionCountAnonymousIpListEnabled:
Type: String
AllowedValues:
- "yes"
- "no"
Default: "yes"

Conditions:
IsAWSManagedRulesCommonRuleSetEnabled: !Equals [ !Ref AWSManagedRulesCommonRuleSetEnabled , "yes" ]
Expand All @@ -87,14 +161,31 @@ Conditions:
IsAWSManagedRulesAmazonIpReputationListEnabled: !Equals [ !Ref AWSManagedRulesAmazonIpReputationListEnabled , "yes" ]
IsAWSManagedRulesAnonymousIpListEnabled: !Equals [ !Ref AWSManagedRulesAnonymousIpListEnabled , "yes" ]

IsDefaultActionAllowEnabled: !Equals [ !Ref DefaultActionAllowEnabled , "yes" ]

IsOverrideActionCountCommonRuleSetEnabled: !Equals [ !Ref OverrideActionCountCommonRuleSetEnabled , "yes" ]
IsOverrideActionCountAdminProtectionRuleSetEnabled: !Equals [ !Ref OverrideActionCountAdminProtectionRuleSetEnabled, "yes" ]
IsOverrideActionCountKnownBadInputsRuleSetEnabled: !Equals [ !Ref OverrideActionCountKnownBadInputsRuleSetEnabled, "yes" ]
IsOverrideActionCountSQLiRuleSetEnabled: !Equals [ !Ref OverrideActionCountSQLiRuleSetEnabled, "yes" ]
IsOverrideActionCountLinuxRuleSetEnabled: !Equals [ !Ref OverrideActionCountLinuxRuleSetEnabled, "yes" ]
IsOverrideActionCountUnixRuleSetEnabled: !Equals [ !Ref OverrideActionCountUnixRuleSetEnabled, "yes" ]
IsOverrideActionCountWindowsRuleSetEnabled: !Equals [ !Ref OverrideActionCountWindowsRuleSetEnabled, "yes" ]
IsOverrideActionCountPHPRuleSetEnabled: !Equals [ !Ref OverrideActionCountPHPRuleSetEnabled, "yes" ]
IsOverrideActionCountWordPressRuleSetEnabled: !Equals [ !Ref OverrideActionCountWordPressRuleSetEnabled, "yes" ]
IsOverrideActionCountAmazonIpReputationListEnabled: !Equals [ !Ref OverrideActionCountAmazonIpReputationListEnabled, "yes" ]
IsOverrideActionCountAnonymousIpListEnabled: !Equals [ !Ref OverrideActionCountAnonymousIpListEnabled, "yes" ]

Resources:
WAFWebACL:
Type: AWS::WAFv2::WebACL
Properties:
Name: !Sub "${NamePrefix}-WAFv2-WebACL"
Scope: REGIONAL
DefaultAction:
Allow: {}
'Fn::If':
- IsDefaultActionAllowEnabled
- Allow: {}
- Block: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
Expand All @@ -106,11 +197,14 @@ Resources:
Name: AWSManagedRulesCommonRuleSet
Priority: 0
OverrideAction:
Count: {}
'Fn::If':
- IsOverrideActionCountCommonRuleSetEnabled
- Count: {}
- None: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: AWSManagedRulesCommonRuleSetMetric
MetricName: !Sub "${NamePrefix}-WAFCommonRuleSetMetric"
Statement:
ManagedRuleGroupStatement:
VendorName: AWS
Expand All @@ -123,11 +217,14 @@ Resources:
Name: AWSManagedRulesAdminProtectionRuleSet
Priority: 1
OverrideAction:
Count: {}
'Fn::If':
- IsOverrideActionCountAdminProtectionRuleSetEnabled
- Count: {}
- None: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: AWSManagedRulesAdminProtectionRuleSetMetric
MetricName: !Sub "${NamePrefix}-WAFAdminProtectionRuleSetMetric"
Statement:
ManagedRuleGroupStatement:
VendorName: AWS
Expand All @@ -140,11 +237,14 @@ Resources:
Name: AWSManagedRulesKnownBadInputsRuleSet
Priority: 2
OverrideAction:
Count: {}
'Fn::If':
- IsOverrideActionCountKnownBadInputsRuleSetEnabled
- Count: {}
- None: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: AWSManagedRulesKnownBadInputsRuleSetMetric
MetricName: !Sub "${NamePrefix}-WAFKnownBadInputsRuleSetMetric"
Statement:
ManagedRuleGroupStatement:
VendorName: AWS
Expand All @@ -157,11 +257,14 @@ Resources:
Name: AWSManagedRulesSQLiRuleSet
Priority: 3
OverrideAction:
Count: {}
'Fn::If':
- IsOverrideActionCountSQLiRuleSetEnabled
- Count: {}
- None: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: AWSManagedRulesSQLiRuleSetMetric
MetricName: !Sub "${NamePrefix}-WAFSQLiRuleSetMetric"
Statement:
ManagedRuleGroupStatement:
VendorName: AWS
Expand All @@ -174,11 +277,14 @@ Resources:
Name: AWSManagedRulesLinuxRuleSet
Priority: 4
OverrideAction:
Count: {}
'Fn::If':
- IsOverrideActionCountLinuxRuleSetEnabled
- Count: {}
- None: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: AWSManagedRulesLinuxRuleSetMetric
MetricName: !Sub "${NamePrefix}-WAFLinuxRuleSetMetric"
Statement:
ManagedRuleGroupStatement:
VendorName: AWS
Expand All @@ -191,11 +297,14 @@ Resources:
Name: AWSManagedRulesUnixRuleSet
Priority: 5
OverrideAction:
Count: {}
'Fn::If':
- IsOverrideActionCountUnixRuleSetEnabled
- Count: {}
- None: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: AWSManagedRulesUnixRuleSetMetric
MetricName: !Sub "${NamePrefix}-WAFUnixRuleSetMetric"
Statement:
ManagedRuleGroupStatement:
VendorName: AWS
Expand All @@ -208,11 +317,14 @@ Resources:
Name: AWSManagedRulesWindowsRuleSet
Priority: 6
OverrideAction:
Count: {}
'Fn::If':
- IsOverrideActionCountWindowsRuleSetEnabled
- Count: {}
- None: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: AWSManagedRulesWindowsRuleSetMetric
MetricName: !Sub "${NamePrefix}-WAFWindowsRuleSetMetric"
Statement:
ManagedRuleGroupStatement:
VendorName: AWS
Expand All @@ -225,11 +337,14 @@ Resources:
Name: AWSManagedRulesPHPRuleSet
Priority: 7
OverrideAction:
Count: {}
'Fn::If':
- IsOverrideActionCountPHPRuleSetEnabled
- Count: {}
- None: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: AWSManagedRulesPHPRuleSetMetric
MetricName: !Sub "${NamePrefix}-WAFPHPRuleSetMetric"
Statement:
ManagedRuleGroupStatement:
VendorName: AWS
Expand All @@ -242,11 +357,14 @@ Resources:
Name: AWSManagedRulesWordPressRuleSet
Priority: 8
OverrideAction:
Count: {}
'Fn::If':
- IsOverrideActionCountWordPressRuleSetEnabled
- Count: {}
- None: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: AWSManagedRulesWordPressRuleSetMetric
MetricName: !Sub "${NamePrefix}-WAFWordPressRuleSetMetric"
Statement:
ManagedRuleGroupStatement:
VendorName: AWS
Expand All @@ -259,11 +377,14 @@ Resources:
Name: AWSManagedRulesAmazonIpReputationList
Priority: 9
OverrideAction:
Count: {}
'Fn::If':
- IsOverrideActionCountAmazonIpReputationListEnabled
- Count: {}
- None: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: AWSManagedRulesAmazonIpReputationListMetric
MetricName: !Sub "${NamePrefix}-WAFAmazonIpReputationListMetric"
Statement:
ManagedRuleGroupStatement:
VendorName: AWS
Expand All @@ -276,11 +397,14 @@ Resources:
Name: AWSManagedRulesAnonymousIpList
Priority: 10
OverrideAction:
Count: {}
'Fn::If':
- IsOverrideActionCountAnonymousIpListEnabled
- Count: {}
- None: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: AWSManagedRulesAnonymousIpListMetric
MetricName: !Sub "${NamePrefix}-WAFAnonymousIpListMetric"
Statement:
ManagedRuleGroupStatement:
VendorName: AWS
Expand Down
17 changes: 15 additions & 2 deletions examples/core/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,19 @@ module "waf" {
name_prefix = "test-waf-setup"
alb_arn = module.alb.arn

enable_CommonRuleSet = true
enable_PHPRuleSet = true
enable_DefaultActionAllow = true

enable_CommonRuleSet = true
enable_PHPRuleSet = true
enable_LinuxRuleSet = true
enable_SQLiRuleSet = true
enable_KnownBadInputsRuleSet = true
enable_UnixRuleSet = true

enable_OverrideActionCountCommonRuleSet = false
enable_OverrideActionCountPHPRuleSet = false
enable_OverrideActionCountLinuxRuleSet = false
enable_OverrideActionCountSQLiRuleSet = false
enable_OverrideActionCountKnownBadInputsRuleSet = false
enable_OverrideActionCountUnixRuleSet = false
}
14 changes: 14 additions & 0 deletions main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@ resource "aws_cloudformation_stack" "waf" {
NamePrefix = var.name_prefix
AlbArn = var.alb_arn != "" ? var.alb_arn : "no"

DefaultActionAllowEnabled = var.enable_DefaultActionAllow ? "yes" : "no"

AWSManagedRulesCommonRuleSetEnabled = var.enable_CommonRuleSet ? "yes" : "no"
AWSManagedRulesAdminProtectionRuleSetEnabled = var.enable_AdminProtectionRuleSet ? "yes" : "no"
AWSManagedRulesKnownBadInputsRuleSetEnabled = var.enable_KnownBadInputsRuleSet ? "yes" : "no"
Expand All @@ -21,6 +23,18 @@ resource "aws_cloudformation_stack" "waf" {
AWSManagedRulesWordPressRuleSetEnabled = var.enable_WordPressRuleSet ? "yes" : "no"
AWSManagedRulesAmazonIpReputationListEnabled = var.enable_AmazonIpReputationList ? "yes" : "no"
AWSManagedRulesAnonymousIpListEnabled = var.enable_AnonymousIpList ? "yes" : "no"

OverrideActionCountCommonRuleSetEnabled = var.enable_OverrideActionCountCommonRuleSet ? "yes" : "no"
OverrideActionCountAdminProtectionRuleSetEnabled = var.enable_OverrideActionCountAdminProtectionRuleSet ? "yes" : "no"
OverrideActionCountKnownBadInputsRuleSetEnabled = var.enable_OverrideActionCountKnownBadInputsRuleSet ? "yes" : "no"
OverrideActionCountSQLiRuleSetEnabled = var.enable_OverrideActionCountSQLiRuleSet ? "yes" : "no"
OverrideActionCountLinuxRuleSetEnabled = var.enable_OverrideActionCountLinuxRuleSet ? "yes" : "no"
OverrideActionCountUnixRuleSetEnabled = var.enable_OverrideActionCountUnixRuleSet ? "yes" : "no"
OverrideActionCountWindowsRuleSetEnabled = var.enable_OverrideActionCountWindowsRuleSet ? "yes" : "no"
OverrideActionCountPHPRuleSetEnabled = var.enable_OverrideActionCountPHPRuleSet ? "yes" : "no"
OverrideActionCountWordPressRuleSetEnabled = var.enable_OverrideActionCountWordPressRuleSet ? "yes" : "no"
OverrideActionCountAmazonIpReputationListEnabled = var.enable_OverrideActionCountAmazonIpReputationList ? "yes" : "no"
OverrideActionCountAnonymousIpListEnabled = var.enable_OverrideActionCountAnonymousIpList ? "yes" : "no"
}

tags = var.tags
Expand Down
Loading

0 comments on commit c0348ff

Please sign in to comment.