-
Notifications
You must be signed in to change notification settings - Fork 1
/
waf.tf
114 lines (90 loc) · 2.18 KB
/
waf.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
# Attach web ACL to Application load balancer
resource "aws_wafregional_web_acl_association" "waf_alb" {
resource_arn = "${module.alb.load_balancer_id}"
web_acl_id = "${aws_wafregional_web_acl.wordpress_waf_acl.id}"
}
# Create the top level web ACL - populate rules later with cloud formation
resource "aws_wafregional_web_acl" "wordpress_waf_acl" {
name = "wordpressWafACL"
metric_name = "wordpressWafACL"
default_action {
# Allow any traffic that doesn't match any rules bellow
type = "ALLOW"
}
rule {
action {
type = "BLOCK"
}
priority = 1
rule_id = "${aws_wafregional_rule.sqli_rule.id}"
}
rule {
action {
type = "BLOCK"
}
priority = 2
rule_id = "${aws_wafregional_rule.xss_rule.id}"
}
}
# XXS matchset and rule
resource "aws_wafregional_xss_match_set" "xss_match_set" {
name = "xss_match_set"
xss_match_tuple {
text_transformation = "NONE"
field_to_match {
type = "URI"
}
}
xss_match_tuple {
text_transformation = "NONE"
field_to_match {
type = "QUERY_STRING"
}
}
}
resource "aws_wafregional_rule" "xss_rule" {
name = "xxsWAFRule"
metric_name = "xxsWAFRule"
predicate {
type = "XssMatch"
data_id = "${aws_wafregional_xss_match_set.xss_match_set.id}"
negated = false
}
}
# SQL injection matchset and rule
resource "aws_wafregional_sql_injection_match_set" "sql_match_set" {
name = "sql_match_set"
sql_injection_match_tuple {
text_transformation = "CMD_LINE"
field_to_match {
type = "QUERY_STRING"
}
}
sql_injection_match_tuple {
text_transformation = "CMD_LINE"
field_to_match {
type = "BODY"
}
}
sql_injection_match_tuple {
text_transformation = "URL_DECODE"
field_to_match {
type = "QUERY_STRING"
}
}
sql_injection_match_tuple {
text_transformation = "URL_DECODE"
field_to_match {
type = "BODY"
}
}
}
resource "aws_wafregional_rule" "sqli_rule" {
name = "sqliWAFRule"
metric_name = "sqliWAFRule"
predicate {
type = "SqlInjectionMatch"
data_id = "${aws_wafregional_sql_injection_match_set.sql_match_set.id}"
negated = false
}
}