tests

tx-pts-dai · Dec 19, 2024 · 2549cab · 2549cab
1 parent d1e6762
commit 2549cab
Show file tree

Hide file tree

Showing 4 changed files with 157 additions and 28 deletions.
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -106,6 +106,105 @@ module "waf" {
   block_articles            = []
   block_regex_pattern       = {}
   enable_logging            = false
-  deploy_athena_queries     = true
   logs_bucket_name_override = null
 }
+
+module "waf_parallel" {
+  source = "../../"
+  providers = {
+    aws = aws.us
+  }
+  # Required variables: None
+  # Non required variables"
+  waf_name                          = "cloudfront-waf-parallel"
+  waf_scope                         = "CLOUDFRONT"
+  waf_logs_retention                = 7
+  enable_google_bots_whitelist      = true
+  google_bots_url                   = "https://developers.google.com/search/apis/ipranges/googlebot.json"
+  enable_parsely_crawlers_whitelist = false
+  parsely_crawlers_url              = "https://www.parse.ly/static/data/crawler-ips.json"
+  enable_k6_whitelist               = false
+  k6_ip_ranges_url                  = "https://ip-ranges.amazonaws.com/ip-ranges.json"
+  whitelisted_ips_v4                = ["1.1.1.1/16", "255.255.255.255/32"]
+  whitelisted_ips_v6                = []
+  whitelisted_headers = {
+    headers = {
+      "MyCustomHeader"  = "Lighthouse"
+      "MyCustomHeader2" = "Playwright-secretStr1ng-disco"
+    }
+  }
+  aws_managed_rule_groups = [
+    {
+      name     = "AWSManagedRulesAnonymousIpList" # Full list of labels from this group: https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-ip-rep.html
+      priority = 50
+    },
+    {
+      name     = "AWSManagedRulesAmazonIpReputationList" # Full list of labels from this group: https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-ip-rep.html
+      priority = 59
+    }
+  ]
+  aws_managed_rule_labels = [
+    {
+      name     = "aws_managed_rule_low_limit"
+      labels   = ["awswaf:managed:aws:anonymous-ip-list:AnonymousIPList", "awswaf:managed:aws:amazon-ip-list:AWSManagedIPReputationList", "awswaf:managed:aws:amazon-ip-list:AWSManagedReconnaissanceList", "awswaf:managed:aws:amazon-ip-list:AWSManagedIPDDoSList"]
+      priority = 60
+    },
+    {
+      name     = "aws_managed_rule_high_limit"
+      labels   = ["awswaf:managed:aws:anonymous-ip-list:HostingProviderIPList"]
+      limit    = 750
+      priority = 61
+    }
+  ]
+  count_requests_from_ch = false
+  country_rates = [
+    {
+      name          = "Group_1-CH"
+      limit         = 50000
+      country_codes = ["CH"]
+      action        = "captcha"
+      priority      = 70
+    },
+    {
+      name          = "Group_2-DE_AT_FR"
+      limit         = 4000
+      country_codes = ["AT", "FR", "DE"]
+      priority      = 71
+    },
+    {
+      name          = "Very_slow"
+      limit         = 100
+      country_codes = ["AR", "BD", "BR", "KH", "CN", "CO", "EC", "IN", "ID", "MX", "NP", "PK", "RU", "SG", "TR", "UA", "AE", "ZM", "VN"]
+      priority      = 72
+    }
+  ]
+  country_count_rules = [
+    {
+      name          = "count-CH"
+      limit         = 4000
+      country_codes = ["CH"]
+      priority      = 90
+    },
+    {
+      name          = "count-DE"
+      limit         = 1000
+      country_codes = ["DE"]
+      priority      = 91
+    }
+  ]
+  everybody_else_limit = 0
+  limit_search_requests_by_countries = {
+    limit         = 100
+    country_codes = ["CH"]
+  }
+  block_uri_path_string     = []
+  block_articles            = []
+  block_regex_pattern       = {}
+  enable_logging            = false
+  logs_bucket_name_override = null
+
+  # WHEN YOU WANT TO DEPLOY A SECOND WAF IN PARALLEL, YOU NEED TO SET THIS VARIABLE TO TRUE
+  deploy_logs_bucket           = false
+  alternative_logs_bucket_name = module.waf.logs_bucket_name
+  alternative_logs_bucket_arn  = module.waf.logs_bucket_arn
+}
diff --git a/logs.tf b/logs.tf
@@ -1,32 +1,34 @@
 
 resource "aws_athena_workgroup" "waf" {
+  count         = var.deploy_logs_bucket ? 1 : 0
   name          = "waf-logs-${var.waf_name}"
   force_destroy = true
   configuration {
     enforce_workgroup_configuration    = true
     publish_cloudwatch_metrics_enabled = true
 
     result_configuration {
-      output_location = "s3://${aws_s3_bucket.logs.bucket}/query-results/"
+      output_location = "s3://${aws_s3_bucket.logs[0].bucket}/query-results/"
     }
   }
 }
 
 resource "aws_athena_database" "waf" {
+  count         = var.deploy_logs_bucket ? 1 : 0
   name          = "waf_logs_${replace(var.waf_name, "-", "_")}"
   force_destroy = true
-  bucket        = aws_s3_bucket.logs.bucket
+  bucket        = aws_s3_bucket.logs[0].bucket
   comment       = "database for WAF logs"
 }
 
 resource "aws_athena_named_query" "waf_logs_table" {
-  count     = var.deploy_athena_queries ? 1 : 0
+  count     = var.deploy_logs_bucket ? 1 : 0
   name      = "partition-projection-table-creation-${var.waf_name}"
-  workgroup = aws_athena_workgroup.waf.id
-  database  = aws_athena_database.waf.name
+  workgroup = aws_athena_workgroup.waf[0].id
+  database  = aws_athena_database.waf[0].name
   query = templatefile("${path.module}/athena_queries/waf_logs_table.sql.tftpl",
     {
-      bucket_name  = aws_s3_bucket.logs.id
+      bucket_name  = aws_s3_bucket.logs[0].id
       account_id   = data.aws_caller_identity.current.account_id
       waf_scope    = lower(var.waf_scope)
       web_acl_name = var.waf_name
@@ -35,67 +37,71 @@ resource "aws_athena_named_query" "waf_logs_table" {
 }
 
 resource "aws_athena_named_query" "requests_per_client_ip" {
-  count     = var.deploy_athena_queries ? 1 : 0
+  count     = var.deploy_logs_bucket ? 1 : 0
   name      = "requests-per-client-ip-per-5min-${var.waf_name}"
-  workgroup = aws_athena_workgroup.waf.id
-  database  = aws_athena_database.waf.name
+  workgroup = aws_athena_workgroup.waf[0].id
+  database  = aws_athena_database.waf[0].name
   query     = file("${path.module}/athena_queries/client_ip_per_5min.sql")
 }
 
 resource "aws_athena_named_query" "count_group_by" {
-  count     = var.deploy_athena_queries ? 1 : 0
+  count     = var.deploy_logs_bucket ? 1 : 0
   name      = "count-requests-grouped-by-ip-tenant-endpoint-${var.waf_name}"
-  workgroup = aws_athena_workgroup.waf.id
-  database  = aws_athena_database.waf.name
+  workgroup = aws_athena_workgroup.waf[0].id
+  database  = aws_athena_database.waf[0].name
   query     = file("${path.module}/athena_queries/count_requests_grouped_by_ip_tenant_endpoint.sql")
 }
 
 resource "aws_athena_named_query" "blocked_requests" {
-  count     = var.deploy_athena_queries ? 1 : 0
+  count     = var.deploy_logs_bucket ? 1 : 0
   name      = "requests-blocked-${var.waf_name}"
-  workgroup = aws_athena_workgroup.waf.id
-  database  = aws_athena_database.waf.name
+  workgroup = aws_athena_workgroup.waf[0].id
+  database  = aws_athena_database.waf[0].name
   query     = file("${path.module}/athena_queries/blocked_requests.sql")
 }
 
 resource "aws_athena_named_query" "per_ip_blocked_requests" {
-  count     = var.deploy_athena_queries ? 1 : 0
+  count     = var.deploy_logs_bucket ? 1 : 0
   name      = "requests-blocked-per-client-ip-${var.waf_name}"
-  workgroup = aws_athena_workgroup.waf.id
-  database  = aws_athena_database.waf.name
+  workgroup = aws_athena_workgroup.waf[0].id
+  database  = aws_athena_database.waf[0].name
   query     = file("${path.module}/athena_queries/per_ip_blocked_requests.sql")
 }
 
 resource "aws_athena_named_query" "first_logs_query" {
-  count     = var.deploy_athena_queries ? 1 : 0
+  count     = var.deploy_logs_bucket ? 1 : 0
   name      = "first-ten-results-${var.waf_name}"
-  workgroup = aws_athena_workgroup.waf.id
-  database  = aws_athena_database.waf.name
+  workgroup = aws_athena_workgroup.waf[0].id
+  database  = aws_athena_database.waf[0].name
   query     = "SELECT * FROM waf_logs limit 10;"
 }
 
 resource "aws_s3_bucket" "logs" {
+  count         = var.deploy_logs_bucket ? 1 : 0
   bucket        = coalesce(var.logs_bucket_name_override, "aws-waf-logs-${var.waf_name}-${data.aws_caller_identity.current.account_id}")
   force_destroy = true
 }
 
 # See issue <https://github.com/hashicorp/terraform-provider-aws/issues/28353>
 resource "aws_s3_bucket_ownership_controls" "logs" {
-  bucket = aws_s3_bucket.logs.id
+  count  = var.deploy_logs_bucket ? 1 : 0
+  bucket = var.deploy_logs_bucket ? aws_s3_bucket.logs[0].id : var.alternative_logs_bucket_name
   rule {
     object_ownership = "BucketOwnerPreferred"
   }
 }
 
 resource "aws_s3_bucket_acl" "logs" {
-  bucket = aws_s3_bucket.logs.id
+  count  = var.deploy_logs_bucket ? 1 : 0
+  bucket = var.deploy_logs_bucket ? aws_s3_bucket.logs[0].id : var.alternative_logs_bucket_name
   acl    = "private"
 
   depends_on = [aws_s3_bucket_ownership_controls.logs]
 }
 
 resource "aws_s3_bucket_lifecycle_configuration" "logs" {
-  bucket = aws_s3_bucket.logs.bucket
+  count  = var.deploy_logs_bucket ? 1 : 0
+  bucket = var.deploy_logs_bucket ? aws_s3_bucket.logs[0].id : var.alternative_logs_bucket_name
   rule {
     id = "waf-logs"
     expiration {
@@ -107,6 +113,6 @@ resource "aws_s3_bucket_lifecycle_configuration" "logs" {
 
 resource "aws_wafv2_web_acl_logging_configuration" "logs" {
   count                   = var.enable_logging ? 1 : 0
-  log_destination_configs = [aws_s3_bucket.logs.arn]
+  log_destination_configs = [var.deploy_logs_bucket ? aws_s3_bucket.logs[0].arn : var.alternative_logs_bucket_arn]
   resource_arn            = aws_wafv2_web_acl.waf.arn
 }
diff --git a/outputs.tf b/outputs.tf
@@ -15,3 +15,14 @@ output "google_bots" {
   )
   description = "List of Google bots whitelisted"
 }
+
+
+output "logs_bucket_name" {
+  value       = var.deploy_logs_bucket ? aws_s3_bucket.logs[0].id : null
+  description = "Logs bucket name"
+}
+
+output "logs_bucket_arn" {
+  value       = var.deploy_logs_bucket ? aws_s3_bucket.logs[0].arn : null
+  description = "Logs bucket arn"
+}
diff --git a/variables.tf b/variables.tf
@@ -295,12 +295,25 @@ variable "enable_logging" {
   default     = false
 }
 
-variable "deploy_athena_queries" {
-  description = "Enables the deployment of the athena pre-saved queries to easily access the logs generated by waf"
+
+variable "deploy_logs_bucket" {
+  description = "Enables the deployment of the s3 bucket to store the waf logs. Also enables the deployment of the athena pre-saved queries to easily access the logs generated by waf"
   default     = true
   type        = bool
 }
 
+variable "alternative_logs_bucket_name" {
+  description = "Override the default bucket destination for waf logs. If 'deploy_logs_bucket' is set to false, this variable must be set."
+  default     = null
+  type        = string
+}
+
+variable "alternative_logs_bucket_arn" {
+  description = "Override the default bucket destination for waf logs. If 'deploy_logs_bucket' is set to false, this variable must be set."
+  default     = null
+  type        = string
+}
+
 variable "logs_bucket_name_override" {
   description = "Override the default bucket name for waf logs. Default name: `aws-waf-logs-<lower(var.waf_scope)>-<data.aws_caller_identity.current.account_id>"
   default     = null