diff --git a/modules/admin/waf.tf b/modules/admin/waf.tf index 5b7c4c5..59dd811 100644 --- a/modules/admin/waf.tf +++ b/modules/admin/waf.tf @@ -1,8 +1,33 @@ +locals { + + authorised_ips = [ + "35.176.93.186/32", + "194.33.193.0/25", + "194.33.196.0/25", + "51.149.251.0/24", + "194.33.192.0/25", + "51.149.249.0/29", + "51.149.250.0/24", + "194.33.197.0/25", + "195.59.75.0/24", + "51.149.249.32/29", + "194.33.248.0/29", + "194.33.249.0/29" + ] +} + resource "aws_wafv2_web_acl_association" "admin_alb_waf_association" { resource_arn = aws_lb.admin_alb.arn web_acl_arn = aws_wafv2_web_acl.admin_alb_acl.arn } +resource "aws_wafv2_ip_set" "authorised_ips" { + name = "authorised-ips" + scope = "REGIONAL" + ip_address_version = "IPV4" + addresses = local.authorised_ips +} + resource "aws_wafv2_web_acl" "admin_alb_acl" { name = "${var.prefix}-admin-acl" description = "Admin WAF ACL" @@ -159,6 +184,26 @@ resource "aws_wafv2_web_acl" "admin_alb_acl" { } } + rule { + name = "only-authorised-ips" + priority = 8 + action { + count {} + } + + statement { + ip_set_reference_statement { + arn = aws_wafv2_ip_set.authorised_ips.arn + } + } + + visibility_config { + cloudwatch_metrics_enabled = true + metric_name = "${var.prefix}-only-authorised-ips" + sampled_requests_enabled = true + } + } + rule { // This rule should always be the last rule in the list name = "only-gb" @@ -188,3 +233,14 @@ resource "aws_wafv2_web_acl" "admin_alb_acl" { sampled_requests_enabled = true } } + +resource "aws_wafv2_web_acl_logging_configuration" "api_server_waf_log" { + log_destination_configs = [aws_cloudwatch_log_group.aws_waf_admin_alb_acl.arn] + resource_arn = aws_wafv2_web_acl.admin_alb_acl.arn +} + +resource "aws_cloudwatch_log_group" "aws_waf_admin_alb_acl" { + name = "aws-waf-logs-waf-${aws_wafv2_web_acl.admin_alb_acl.name}" + retention_in_days = 90 + tags = var.tags +}