Skip to content

Commit

Permalink
feat: Refactoring web acl rules (#393)
Browse files Browse the repository at this point in the history 
* refactoring web acl rules

* missed locals.tf file

* fix for_each rules

* refactor for_each

* fix webacl rules definitions
  • Loading branch information
@uolter
uolter authored Sep 28, 2024
1 parent 4a1b569 commit df69465
Show file tree
Hide file tree
Showing 5 changed files with 55 additions and 85 deletions.
8 changes: 4 additions & 4 deletions src/infra/modules/backend/lambda.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -266,8 +266,8 @@ data "aws_ssm_parameter" "is_gh_integration_lambda" {

data "aws_iam_policy_document" "is_gh_integration_lambda" {
statement {
effect = "Allow"
actions = [
effect = "Allow"
actions = [
"ssm:Describe*",
"ssm:Get*",
"ssm:List*"
Expand All @@ -290,8 +290,8 @@ module "is_gh_integration_lambda" {

publish = true

attach_policy_json = true
policy_json = data.aws_iam_policy_document.is_gh_integration_lambda.json
attach_policy_json = true
policy_json = data.aws_iam_policy_document.is_gh_integration_lambda.json

cloudwatch_logs_retention_in_days = var.is_gh_integration_lambda.cloudwatch_logs_retention_in_days

Expand Down
32 changes: 32 additions & 0 deletions src/infra/modules/frontend/locals.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
locals {
web_acl_rules = [
{
name = "IpReputationList"
priority = 1
managed_rule_group_name = "AWSManagedRulesAmazonIpReputationList"
vendor_name = "AWS"
metric_name = "IpReputationList"
},
{
name = "CommonRuleSet"
priority = 2
managed_rule_group_name = "AWSManagedRulesCommonRuleSet"
vendor_name = "AWS"
metric_name = "CommonRuleSet"
},
{
name = "KnownBadInputsRuleSet"
priority = 3
managed_rule_group_name = "AWSManagedRulesKnownBadInputsRuleSet"
vendor_name = "AWS"
metric_name = "KnownBadInputsRuleSet"
},
{
name = "SQLiRuleSet"
priority = 4
managed_rule_group_name = "AWSManagedRulesSQLiRuleSet"
vendor_name = "AWS"
metric_name = "SQLiRuleSet"
}
]
}
94 changes: 16 additions & 78 deletions src/infra/modules/frontend/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -192,93 +192,31 @@ resource "aws_wafv2_web_acl" "main" {
allow {}
}

rule {
name = "IpReputationList"
priority = 1

override_action {
count {}
}

statement {
managed_rule_group_statement {
name = "AWSManagedRulesAmazonIpReputationList"
vendor_name = "AWS"
}
}

visibility_config {
cloudwatch_metrics_enabled = var.web_acl.cloudwatch_metrics_enabled
metric_name = "IpReputationList"
sampled_requests_enabled = var.web_acl.sampled_requests_enabled
}
}

dynamic "rule" {
for_each = { for r in local.web_acl_rules : r.name => r }
content {
name = rule.value.name
priority = rule.value.priority

rule {
name = "CommonRuleSet"
priority = 2

override_action {
count {}
}

statement {
managed_rule_group_statement {
name = "AWSManagedRulesCommonRuleSet"
vendor_name = "AWS"
override_action {
count {}
}
}

visibility_config {
cloudwatch_metrics_enabled = var.web_acl.cloudwatch_metrics_enabled
metric_name = "CommonRuleSet"
sampled_requests_enabled = var.web_acl.sampled_requests_enabled
}
}

rule {
name = "KnownBadInputsRuleSet"
priority = 3

override_action {
count {}
}

statement {
managed_rule_group_statement {
name = "AWSManagedRulesKnownBadInputsRuleSet"
vendor_name = "AWS"
statement {
managed_rule_group_statement {
name = rule.value.managed_rule_group_name
vendor_name = rule.value.vendor_name
}
}
}

visibility_config {
cloudwatch_metrics_enabled = var.web_acl.cloudwatch_metrics_enabled
metric_name = "KnownBadInputsRuleSet"
sampled_requests_enabled = var.web_acl.sampled_requests_enabled
}
}

rule {
name = "SQLiRuleSet"
priority = 4

override_action {
count {}
}

statement {
managed_rule_group_statement {
name = "AWSManagedRulesSQLiRuleSet"
vendor_name = "AWS"
visibility_config {
cloudwatch_metrics_enabled = var.web_acl.cloudwatch_metrics_enabled
metric_name = rule.value.metric_name
sampled_requests_enabled = var.web_acl.sampled_requests_enabled
}
}

visibility_config {
cloudwatch_metrics_enabled = var.web_acl.cloudwatch_metrics_enabled
metric_name = "SQLiRuleSet"
sampled_requests_enabled = var.web_acl.sampled_requests_enabled
}
}

tags = { Name = var.web_acl.name }
Expand Down
2 changes: 1 addition & 1 deletion src/infra/prod/eu-central-1/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -183,7 +183,7 @@ variable "cie_entity_id" {
}

variable "is_gh_sns_arn" {
type = string
type = string
# default = "arn:aws:sns:eu-south-1:116453376486:history"
default = null
}
Expand Down
4 changes: 2 additions & 2 deletions src/infra/prod/eu-south-1/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -354,8 +354,8 @@ variable "alarm_subscribers" {
}

variable "is_gh_sns_arn" {
type = string
# default = "arn:aws:sns:eu-south-1:116453376486:history"
type = string
# default = "arn:aws:sns:eu-south-1:116453376486:history"
default = null
}

Expand Down

0 comments on commit df69465

Please sign in to comment.