Merge pull request #2 from dapperlabs-platform/mgardner-owasp-updates

update owasp variables
dapperlabs-platform · Apr 12, 2024 · 8f857e9 · 8f857e9
2 parents b81a44f + e8a0b94
commit 8f857e9
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 11 deletions.
diff --git a/main.tf b/main.tf
@@ -1,3 +1,23 @@
+locals {
+  category_settings = {
+    "1" = [
+      { category = "paranoia-level-2", enabled = false },
+      { category = "paranoia-level-3", enabled = false },
+      { category = "paranoia-level-4", enabled = false }
+    ],
+    "2" = [
+      { category = "paranoia-level-3", enabled = false },
+      { category = "paranoia-level-4", enabled = false }
+    ],
+    "3" = [
+      { category = "paranoia-level-4", enabled = false }
+    ],
+    "4" = []
+  }
+}
+
+
+
 data "cloudflare_zones" "zones" {
   count = length(var.domains)
 
@@ -8,6 +28,7 @@ data "cloudflare_zones" "zones" {
   }
 }
 
+
 resource "cloudflare_ruleset" "zone_level_managed_waf" {
   count = length(var.domains)
 
@@ -35,20 +56,18 @@ resource "cloudflare_ruleset" "zone_level_managed_waf" {
       id      = "4814384a9e5d4991b9815dcfc25d2f1f"
       version = "latest"
       overrides {
-        categories {
-          category = "paranoia-level-3"
-          action   = "block"
-          enabled  = false
-        }
-        categories {
-          category = "paranoia-level-4"
-          action   = "block"
-          enabled  = false
+        dynamic "categories" {
+          for_each = local.category_settings[tostring(var.paranoia_level)]
+          content {
+            category = categories.value.category
+            enabled  = categories.value.enabled
+          }
         }
+
         rules {
           id              = "6179ae15870a4bb7b2d480d4843b323c"
-          action          = "managed_challenge"
-          score_threshold = 25
+          action          = var.owasp_action
+          score_threshold = var.anomaly_score_threshold
         }
       }
     }

diff --git a/variables.tf b/variables.tf
@@ -14,3 +14,23 @@ variable "owasp_enabled" {
   description = "Enable OWASP Core Ruleset"
   default     = true
 }
+
+variable "owasp_action" {
+  type        = string
+  description = "OWASP Core Ruleset action"
+  default     = "log"
+}
+
+variable "anomaly_score_threshold" {
+  type        = number
+  description = "OWASP Core Ruleset anomaly score threshold"
+  default     = 60
+
+}
+
+variable "paranoia_level" {
+  type        = number
+  description = "OWASP Core Ruleset paranoia level"
+  default     = 3
+
+}