Merge pull request #18 from DNXLabs/feature/add-waf

✨ Add WAF + small fixes
DNXLabs · Mar 8, 2022 · bfb5090 · bfb5090
2 parents 451633e + 147cd30
commit bfb5090
Show file tree

Hide file tree

Showing 8 changed files with 128 additions and 10 deletions.
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -51,7 +51,7 @@ jobs:
     name: Minimum version check
     runs-on: ubuntu-latest
     container:
-      image: hashicorp/terraform:0.12.20
+      image: hashicorp/terraform:0.13.0
     steps:
       - uses: actions/checkout@master
       - name: Validate Code

diff --git a/README.md b/README.md
@@ -38,14 +38,13 @@ If you have specified cloudfront_default_certificate, TLSv1 must be specified.
 
 | Name | Version |
 |------|---------|
-| terraform | >= 0.12.20 |
+| terraform | >= 0.13.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
 | aws | n/a |
-| aws.us-east-1 | n/a |
 
 ## Inputs
 
@@ -74,6 +73,11 @@ If you have specified cloudfront_default_certificate, TLSv1 must be specified.
 | name | Name of your ECS service | `any` | n/a | yes |
 | restriction\_location | The ISO 3166-1-alpha-2 codes for which you want CloudFront either to distribute your content (whitelist) or not distribute your content (blacklist) | `list(any)` | `[]` | no |
 | restriction\_type | The restriction type of your CloudFront distribution geolocation restriction. Options include none, whitelist, blacklist | `string` | `"none"` | no |
+| waf\_cloudfront\_enable | Enable WAF for Cloudfront distribution | `bool` | `false` | no |
+| wafv2\_managed\_block\_rule\_groups | List of WAF V2 managed rule groups, set to block | `list(string)` | `[]` | no |
+| wafv2\_managed\_rule\_groups | List of WAF V2 managed rule groups, set to count | `list(string)` | <pre>[<br>  "AWSManagedRulesCommonRuleSet"<br>]</pre> | no |
+| wafv2\_rate\_limit\_rule | The limit on requests per 5-minute period for a single originating IP address (leave 0 to disable) | `number` | `0` | no |
+| web\_acl\_id | Web ACL ARN for Cloudfront distribution | `string` | `null` | no |
 
 ## Outputs
 

diff --git a/_providers.tf b/_providers.tf
diff --git a/_variables.tf b/_variables.tf
@@ -121,4 +121,34 @@ variable "alarm_prefix" {
   type        = string
   description = "String prefix for cloudwatch alarms. (Optional)"
   default     = "alarm"
+}
+
+variable "waf_cloudfront_enable" {
+  type        = bool
+  description = "Enable WAF for Cloudfront distribution"
+  default     = false
+}
+
+variable "wafv2_managed_rule_groups" {
+  type        = list(string)
+  default     = ["AWSManagedRulesCommonRuleSet"]
+  description = "List of WAF V2 managed rule groups, set to count"
+}
+
+variable "wafv2_managed_block_rule_groups" {
+  type        = list(string)
+  default     = []
+  description = "List of WAF V2 managed rule groups, set to block"
+}
+
+variable "wafv2_rate_limit_rule" {
+  type        = number
+  default     = 0
+  description = "The limit on requests per 5-minute period for a single originating IP address (leave 0 to disable)"
+}
+
+variable "web_acl_id" {
+  type        = string
+  description = "Web ACL ARN for Cloudfront distribution"
+  default     = null
 }
diff --git a/cloudfront.tf b/cloudfront.tf
@@ -6,6 +6,10 @@ resource "aws_cloudfront_distribution" "default" {
   price_class         = "PriceClass_All"
   wait_for_deployment = false
 
+  depends_on = [aws_wafv2_web_acl.waf_cloudfront]
+
+  web_acl_id = var.waf_cloudfront_enable ? aws_wafv2_web_acl.waf_cloudfront[0].arn : null
+
   origin {
     domain_name = var.alb_dns_name
     origin_id   = "default"
@@ -166,5 +170,4 @@ resource "aws_cloudfront_distribution" "default" {
     }
   }
 
-  web_acl_id = var.cloudfront_web_acl_id != "" ? var.cloudfront_web_acl_id : ""
 }
diff --git a/cloudwatch-alarms.tf b/cloudwatch-alarms.tf
@@ -1,6 +1,5 @@
 resource "aws_cloudwatch_metric_alarm" "cloudfront_500_errors" {
-  provider = aws.us-east-1
-  count    = length(var.alarm_sns_topics_us) > 0 && var.alarm_cloudfront_500_errors_threshold != 0 ? 1 : 0
+  count = length(var.alarm_sns_topics_us) > 0 && var.alarm_cloudfront_500_errors_threshold != 0 ? 1 : 0
 
   alarm_name                = try(data.aws_iam_account_alias.current[0].account_alias, "${var.alarm_prefix}-ecs-${var.name}-cloudfront-500-errors")
   comparison_operator       = "GreaterThanOrEqualToThreshold"

diff --git a/versions.tf b/versions.tf
@@ -1,3 +1,4 @@
 terraform {
-  required_version = ">= 0.12.20"
+  required_version = ">= 0.13.0"
+
 }
diff --git a/waf.tf b/waf.tf
@@ -0,0 +1,84 @@
+resource "aws_wafv2_web_acl" "waf_cloudfront" {
+  count       = var.waf_cloudfront_enable ? 1 : 0
+  name        = "waf-cloudfront-${var.name}"
+  description = "WAF managed rules for Cloudfront"
+  scope       = "CLOUDFRONT"
+
+
+
+  default_action {
+    allow {}
+  }
+
+  dynamic "rule" {
+
+
+    for_each = local.wafv2_rules
+
+    content {
+      name     = "waf-${var.name}-${rule.value.type}-${rule.value.name}"
+      priority = rule.key
+
+      dynamic "override_action" {
+        for_each = rule.value.type == "managed" ? [1] : []
+        content {
+          count {}
+        }
+      }
+
+      dynamic "action" {
+        for_each = rule.value.type == "rate" ? [1] : []
+        content {
+          block {}
+        }
+      }
+
+      statement {
+        dynamic "rate_based_statement" {
+          for_each = rule.value.type == "rate" ? [1] : []
+          content {
+            limit              = rule.value.value
+            aggregate_key_type = "IP"
+          }
+        }
+
+        dynamic "managed_rule_group_statement" {
+          for_each = rule.value.type == "managed" || rule.value.type == "managed_block" ? [1] : []
+          content {
+            name        = rule.value.name
+            vendor_name = "AWS"
+          }
+        }
+      }
+
+
+      visibility_config {
+        cloudwatch_metrics_enabled = true
+        metric_name                = "waf-${var.name}-${rule.value.type}-${rule.value.name}"
+        sampled_requests_enabled   = false
+      }
+    }
+  }
+
+  tags = {
+    Name = "waf-cloudfront-${var.name}-static-application"
+  }
+
+  visibility_config {
+    cloudwatch_metrics_enabled = true
+    metric_name                = "waf-cloudfront-${var.name}-general"
+    sampled_requests_enabled   = false
+  }
+
+}
+
+locals {
+  wafv2_managed_rule_groups       = [for i, v in var.wafv2_managed_rule_groups : { "name" : v, "type" : "managed" }]
+  wafv2_managed_block_rule_groups = [for i, v in var.wafv2_managed_block_rule_groups : { "name" : v, "type" : "managed_block" }]
+  wafv2_rate_limit_rule = var.wafv2_rate_limit_rule == 0 ? [] : [{
+    "name" : "limit"
+    "type" : "rate"
+    "value" : var.wafv2_rate_limit_rule
+  }]
+  wafv2_rules = concat(local.wafv2_rate_limit_rule, local.wafv2_managed_block_rule_groups, local.wafv2_managed_rule_groups)
+}