Skip to content

willfarrell/terraform-waf-module

BranchesTags

Repository files navigation

Web Application Firewall (WAF)

To be used with CloudFront, ALB, API Gateway.

Setup

Module


module "waf_cdn" {
  source        = "[email protected]:willfarrell/terraform-waf-module?ref=v0.0.2"
  type          = "edge"
  name          = "${local.workspace["name"]}"
  defaultAction = "${var.defaultAction}"

  ipAdminListId = "${aws_waf_ipset.admin.id}"
  ipWhiteListId = "${aws_waf_ipset.white.id}"
  
  logging_bucket = "${local.workspace["name"]}-${local.workspace["env"]}-edge-logs"
  
  providers = {
    aws = "aws.edge"
  }
}

module "waf_alb" {
  source        = "[email protected]:willfarrell/terraform-waf-module?ref=v0.0.2"
  type          = "regional"
  name          = "${local.workspace["name"]}"
  defaultAction = "${var.defaultAction}"

  ipAdminListId = "${aws_wafregional_ipset.admin.id}"
  ipWhiteListId = "${aws_wafregional_ipset.white.id}"
  
  logging_bucket = "${local.workspace["name"]}-${local.workspace["env"]}-${local.workspace["region"]}-logs"
}


resource "aws_ssm_parameter" "bad-bot" {
  name        = "/config/waf/ipset/bad-bot"
  description = "IP Set ID of the bad bot / honeypot blacklist"
  type        = "String"
  value       = "${module.waf.ipset_bad-bot_id}"
}

IP Lists

resource "aws_waf_ipset" "white" {
  name = "${var.name}-override-white-ipset"
}

resource "aws_wafregional_ipset" "white" {
  name = "${var.name}-override-white-ipset"
}

Input

  • scope: Type of WAF. REGIONAL or CLOUDFRONT. [Default: CLOUDFRONT]
  • name: application name
  • defaultAction: Firewall permission. Set to ALLOW for the public to gain access [Default: DENY]

See variables.tf for extended list of OWASP inputs that can be configured.

Output

  • id: aws_waf_web_acl id

Rules

ACL
|- Blacklist Group
|  |- Bad Bot Rule
|  |- Blacklist Rule
|  |- HTTP Flood Rule           # ** Requires Manual Enabling **
|  |- Reputation List Rule
|  |- Scanner Probes Rule
|- OWASP Group
|  |- Admin Url Rule
|  |- Auth Token Rule
|  |- CSRF Rule
|  |- Paths Rule
|  |- Server Side Include Rule
|  |- Size Restriction Rule
|  |- SQL Injection Rule
|  |- XSS Rule
|- Whitelist Rule

For Classic WAF see <=v0.0.4.

Sources

About

OWASP WAF

Resources

Readme

License

MIT license
Activity

Stars

2 stars

Watchers

1 watching

Forks

7 forks
Report repository

Releases

13 tags

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages