Skip to content

Commit

Permalink
Updated WAF rules to count
Browse files Browse the repository at this point in the history
  • Loading branch information
jamesgreen-moj committed Mar 11, 2024
1 parent 401ece8 commit 34eb07c
Showing 1 changed file with 56 additions and 0 deletions.
56 changes: 56 additions & 0 deletions modules/admin/waf.tf
Original file line number Diff line number Diff line change
@@ -1,8 +1,33 @@
locals {

authorised_ips = [
"35.176.93.186/32",
"194.33.193.0/25",
"194.33.196.0/25",
"51.149.251.0/24",
"194.33.192.0/25",
"51.149.249.0/29",
"51.149.250.0/24",
"194.33.197.0/25",
"195.59.75.0/24",
"51.149.249.32/29",
"194.33.248.0/29",
"194.33.249.0/29"
]
}

resource "aws_wafv2_web_acl_association" "admin_alb_waf_association" {
resource_arn = aws_lb.admin_alb.arn
web_acl_arn = aws_wafv2_web_acl.admin_alb_acl.arn
}

resource "aws_wafv2_ip_set" "authorised_ips" {
name = "authorised-ips"
scope = "REGIONAL"
ip_address_version = "IPV4"
addresses = local.authorised_ips
}

resource "aws_wafv2_web_acl" "admin_alb_acl" {
name = "${var.prefix}-admin-acl"
description = "Admin WAF ACL"
Expand Down Expand Up @@ -159,6 +184,26 @@ resource "aws_wafv2_web_acl" "admin_alb_acl" {
}
}

rule {
name = "only-authorised-ips"
priority = 8
action {
count {}
}

statement {
ip_set_reference_statement {
arn = aws_wafv2_ip_set.authorised_ips.arn
}
}

visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "${var.prefix}-only-authorised-ips"
sampled_requests_enabled = true
}
}

rule {
// This rule should always be the last rule in the list
name = "only-gb"
Expand Down Expand Up @@ -188,3 +233,14 @@ resource "aws_wafv2_web_acl" "admin_alb_acl" {
sampled_requests_enabled = true
}
}

resource "aws_wafv2_web_acl_logging_configuration" "api_server_waf_log" {
log_destination_configs = [aws_cloudwatch_log_group.aws_waf_admin_alb_acl.arn]
resource_arn = aws_wafv2_web_acl.admin_alb_acl.arn
}

resource "aws_cloudwatch_log_group" "aws_waf_admin_alb_acl" {
name = "aws-waf-logs-waf-${aws_wafv2_web_acl.admin_alb_acl.name}"
retention_in_days = 90
tags = var.tags
}

0 comments on commit 34eb07c

Please sign in to comment.