Add WAF to ECS (#6)

LeoDiazL · web-flow · commit c5e20f23794b · 2025-08-27T15:15:22.000-03:00
* Add WAF option
diff --git a/README.md b/README.md
@@ -41,7 +41,7 @@ jobs:
   deploy-ecs:
     runs-on: ubuntu-latest
     - name: Create Nginx example
-      uses: bitovi/github-actions-deploy-ecs@v0.1.4
+      uses: bitovi/github-actions-deploy-ecs@v0.1.6
       id: ecs
       with:
         aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }}
@@ -80,7 +80,7 @@ jobs:
       url: ${{ steps.ecs.outputs.ecs_dns_record }}
     steps:
     - name: Create Nginx example
-      uses: bitovi/github-actions-deploy-ecs@v0.1.4
+      uses: bitovi/github-actions-deploy-ecs@v0.1.6
       id: ecs
       with:
         aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }}
@@ -108,9 +108,27 @@ jobs:
         aws_ecs_cloudwatch_skip_destroy: false
         aws_ecs_cloudwatch_retention_days: 1
 
+        aws_waf_enable: true
+        aws_waf_logging_enable: true
+        aws_waf_log_retention_days: 3
+        aws_waf_additional_tags: '{\"some\":\"tag\"}'
+        aws_waf_rule_rate_limit: 200
+        aws_waf_rule_managed_rules: true
+        aws_waf_rule_managed_bad_inputs: true
+        aws_waf_rule_ip_reputation: true
+        aws_waf_rule_anonymous_ip: true
+        aws_waf_rule_bot_control: false #(Extra cost)
+        aws_waf_rule_geo_block_countries: "CN,RU"
+        #aws_waf_rule_geo_allow_only_countries: "US,CA"
+        #aws_waf_rule_user_arn:
+        aws_waf_rule_sqli: true
+        aws_waf_rule_linux: true
+        aws_waf_rule_unix: true
+        aws_waf_rule_admin_protection: true
+
         aws_r53_enable: true
         aws_r53_domain_name: your-domain.com
-        aws_r53_sub_domain_name: sub-domain.com
+        aws_r53_sub_domain_name: sub-domain
         aws_r53_enable_cert: true
 ```
 
@@ -127,6 +145,7 @@ The following inputs can be used as `step.with` keys
 1. [ECS](#ecs-inputs)
 1. [Secrets and Environment Variables](#secrets-and-environment-variables-inputs)
 1. [VPC](#vpc-inputs)
+1. [WAF](#waf-inputs)
 1. [DNS](#dns-inputs)
 
 ### Outputs
@@ -206,6 +225,28 @@ The following inputs can be used as `step.with` keys
 <hr/>
 <br/>
 
+#### **WAF Inputs**
+| Name             | Type    | Description                        |
+|------------------|---------|------------------------------------|
+| `aws_waf_enable` | Boolean | Enable WAF for load balancer (LB only - NOT ELB). Default is `false` |
+| `aws_waf_logging_enable`| Boolean | Enable WAF logging to CloudWatch. Default `false` |
+| `aws_waf_log_retention_days`| Number | CloudWatch log retention period for WAF logs. Default `30` |
+| `aws_waf_rule_rate_limit`| String | Rate limit for WAF rules. Default is `2000` |
+| `aws_waf_rule_managed_rules`| Boolean | Enable common managed rule groups to use. Default `false` |
+| `aws_waf_rule_managed_bad_inputs`| Boolean | Enable managed rule for bad inputs. Default `false` |
+| `aws_waf_rule_ip_reputation`| Boolean | Enable managed rule for IP reputation. Default `false` |
+| `aws_waf_rule_anonymous_ip`| Boolean | Enable managed rule for anonymous IP. Default `false` |
+| `aws_waf_rule_bot_control`| Boolean | Enable managed rule for bot control (costs extra). Default `false` |
+| `aws_waf_rule_geo_block_countries`| String | Comma separated list of countries to block. |
+| `aws_waf_rule_geo_allow_only_countries`| String | Comma separated list of countries to allow. |
+| `aws_waf_rule_sqli`| Boolean | Enable managed rule for SQL injection. Default `false` |
+| `aws_waf_rule_linux`| Boolean | Enable managed rule for Linux. Default `false` |
+| `aws_waf_rule_unix`| Boolean | Enable managed rule for Unix. Default `false` |
+| `aws_waf_rule_admin_protection`| Boolean | Enable managed rule for admin protection. Default `false` |
+| `aws_waf_rule_user_arn`| String | String of the user created ARN set of rules. |
+| `aws_waf_additional_tags`| String | A list of strings that will be added to created resources. Default `"{}"` |
+<hr/>
+<br/>
 
 #### **VPC Inputs**
 | Name             | Type    | Description                        |
diff --git a/action.yaml b/action.yaml
@@ -56,7 +56,7 @@ inputs:
   aws_ecs_enable:
     description: 'Toggle ECS Creation'
     required: false
-    default: true
+    default: 'true'
   aws_ecs_service_name:
     description: 'Elastic Container Service name'
     required: false
@@ -137,16 +137,16 @@ inputs:
     required: false
   aws_ecs_cloudwatch_enable:
     description: "Toggle cloudwatch for ECS. Default 'false'"
-    reuired: false
+    required: false
   aws_ecs_cloudwatch_lg_name:
     description: "Log group name. Will default to aws_identifier if none."
-    reuired: false
+    required: false
   aws_ecs_cloudwatch_skip_destroy:
     description: "Toggle deletion or not when destroying the stack."
-    reuired: false
+    required: false
   aws_ecs_cloudwatch_retention_days:
     description: "Number of days to retain logs. 0 to never expire. Default '14'"
-    reuired: false
+    required: false
   aws_ecs_additional_tags:
     description: 'A list of strings that will be added to created resources'
     required: false
@@ -165,6 +165,58 @@ inputs:
     description: '`.env` file to be used with the app from Github variables'
     required: false
 
+  # AWS WAF
+  aws_waf_enable:
+    description: 'Enable WAF for load balancer.'
+    required: false
+  aws_waf_logging_enable:
+    description: 'Enable WAF logging to CloudWatch.'
+    required: false
+  aws_waf_log_retention_days:
+    description: 'CloudWatch log retention period for WAF logs.'
+    required: false
+  aws_waf_rule_rate_limit:
+    description: 'Rate limit for WAF rules.'
+    required: false
+  aws_waf_rule_managed_rules:
+    description: 'Enable common managed rule groups to use.'
+    required: false
+  aws_waf_rule_managed_bad_inputs:
+    description: 'Enable managed rule for bad inputs.'
+    required: false
+  aws_waf_rule_ip_reputation:
+    description: 'Enable managed rule for IP reputation.'
+    required: false
+  aws_waf_rule_anonymous_ip:
+    description: 'Enable managed rule for anonymous IP.'
+    required: false
+  aws_waf_rule_bot_control:
+    description: 'Enable managed rule for bot control (costs extra).'
+    required: false
+  aws_waf_rule_geo_block_countries:
+    description: 'Comma separated list of countries to block.'
+    required: false
+  aws_waf_rule_geo_allow_only_countries:
+    description: 'Comma separated list of countries to allow.'
+    required: false
+  aws_waf_rule_sqli:
+    description: 'Enable managed rule for SQL injection.'
+    required: false
+  aws_waf_rule_linux:
+    description: 'Enable managed rule for Linux.'
+    required: false
+  aws_waf_rule_unix:
+    description: 'Enable managed rule for Unix.'
+    required: false
+  aws_waf_rule_admin_protection:
+    description: 'Enable managed rule for admin protection.'
+    required: false
+  aws_waf_rule_user_arn:
+    description: 'ARN of the user rule.'
+    required: false
+  aws_waf_additional_tags:
+    description: 'A list of strings that will be added to created resources.'
+    required: false
 
   # AWS VPC Inputs
   aws_vpc_create:
@@ -316,6 +368,25 @@ runs:
         env_ghs: ${{inputs.env_ghs }}
         env_ghv: ${{inputs.env_ghv }}
 
+        # AWS WAF
+        aws_waf_enable: ${{ inputs.aws_waf_enable }}
+        aws_waf_logging_enable: ${{ inputs.aws_waf_logging_enable }}
+        aws_waf_log_retention_days: ${{ inputs.aws_waf_log_retention_days }}
+        aws_waf_additional_tags: ${{ inputs.aws_waf_additional_tags }}
+        aws_waf_rule_rate_limit: ${{ inputs.aws_waf_rule_rate_limit }}
+        aws_waf_rule_managed_rules: ${{ inputs.aws_waf_rule_managed_rules }}
+        aws_waf_rule_managed_bad_inputs: ${{ inputs.aws_waf_rule_managed_bad_inputs }}
+        aws_waf_rule_ip_reputation: ${{ inputs.aws_waf_rule_ip_reputation }}
+        aws_waf_rule_anonymous_ip: ${{ inputs.aws_waf_rule_anonymous_ip }}
+        aws_waf_rule_bot_control: ${{ inputs.aws_waf_rule_bot_control }}
+        aws_waf_rule_geo_block_countries: ${{ inputs.aws_waf_rule_geo_block_countries }}
+        aws_waf_rule_geo_allow_only_countries: ${{ inputs.aws_waf_rule_geo_allow_only_countries }}
+        aws_waf_rule_user_arn: ${{ inputs.aws_waf_rule_user_arn }}
+        aws_waf_rule_sqli: ${{ inputs.aws_waf_rule_sqli }}
+        aws_waf_rule_linux: ${{ inputs.aws_waf_rule_linux }}
+        aws_waf_rule_unix: ${{ inputs.aws_waf_rule_unix }}
+        aws_waf_rule_admin_protection: ${{ inputs.aws_waf_rule_admin_protection }}
+
        # AWS VPC Inputs
         aws_vpc_create: ${{inputs.aws_vpc_create }}
         aws_vpc_name: ${{inputs.aws_vpc_name }}
