FUM-3033-waf-module-refactor #4

DCamma · 2024-02-20T15:43:25Z

This will be a major release, a lot of breaking changes.

The goal of the refactor is to

reduce the number of inputs required
stronger defaults based on our usage of the module
re-order priorities
cleanup conditional code
more specific variables (less list(object(any)))

Added functionalities:

AWS managed rule groups
Rules based on the aws managed rule labels can be used in block, captcha or challenge mode
possibility to have different rules per groups of labels

⚠️ Breaking changes:

removed support for allowed_partners (whitelisting of hostnames). This is dangerous because the hostname header can be modified
logs_bucket_name becomes logs_bucket_name_override
var.self_ips, var.allowed_ips and var.whitelisted_ip_ranges have been removed and consolidated into var.whitelisted_ips_v4
allowed_ips_v6 becomes whitelisted_ips_v6
all objects that contained the field country_code now required the filed country_codes instead
aws_managed_rules_labels list becomes aws_managed_rule_groups object
aws_managed_rules list becomes aws_managed_rule_lables object
aws_managed_rules_limit has been removed and is now part of each object in aws_managed_rule_lables
enable_count_ch_requests becomes count_requests_from_ch
count_ch_priority removed, enable_count_ch_requests rule now have a fixed priority
count_ch_limit removed, this rule is anyway a failsafe that would be changed in the aws console during attacks, therefore the limit can also be changed there
search_limitation becomes limit_search_requests_by_countries, a limit of 0 downst deactivate the rule, but and empty list of countries does
Priorities are now enforced by varaibles validations

fix priorities fix ipv6 list fix-rule-action-override

DCamma · 2024-02-22T12:33:27Z

variables.tf

-variable "self_ips" {
-  default     = []
-  description = "The IP from own AWS account (NAT gateways)"
-  type        = set(string)
-}
-
-variable "allowed_ips" {
-  default     = []
-  description = "The IPv4 to allow"
-  type        = set(string)
-}
-
-variable "whitelisted_ip_ranges" {
-  default     = []
-  description = "List of enterprise IP ranges to be whitelisted. Set to empty list to disable the whitelisting"
-  type        = list(string)
-}


consolidated into whitelisted_ips_v4

variables.tf

waf.tf

DCamma · 2024-02-22T12:37:23Z

waf.tf

+      # dynamic "challenge_config" { 
+      # # avaliable in the console but seems to be not supported on tf (?) 
+      # # even if is mentioned in the docs https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#challenge_config-block
+      # # and is in an open issue https://github.com/hashicorp/terraform-provider-aws/issues/29071 
+      #   for_each = rule.value.action == "challenge" ? [1] : []
+      #   content {
+      #     immunity_time_property {
+      #       immunity_time = rule.value.immunity_seconds
+      #     }
+      #   }
+      # }


Not clear why this is, but there is no way to set a custom immunity time for challenges in terraform

DCamma · 2024-02-22T12:38:19Z

waf.tf

-  # Change "count" to "block" if you are under attack and want to
-  # rate limit to a low number of requests every country apart from Switzerland
-  rule {
-    name     = "Rate_limit_everything_apart_from_CH"


this was just moved, not completely removed

DCamma · 2024-02-22T12:38:31Z

waf.tf

-  }
-
-  dynamic "rule" {
-    for_each = var.enable_count_ch_requests ? [1] : []


DCamma · 2024-02-22T12:38:41Z

waf.tf

-  }
-
-  dynamic "rule" {
-    for_each = var.aws_managed_rules


completely reworked

DCamma · 2024-02-22T12:38:50Z

waf.tf

-    # rule for var.aws_managed_rules this rule would have no labels to check and therefore should not be created
-    for_each = length(var.aws_managed_rules_labels) > 0 && length(var.aws_managed_rules) > 0 ? [1] : []
-    content {
-      name     = "Rate_limit_based_on_AWS_labels"


completely reworked

README.md

logs.tf

variables.tf

waf.tf

sgametrio · 2024-02-22T13:23:27Z

Good stuff, added some comments

Co-authored-by: Demetrio Carrara <[email protected]>

Further examples that can be created: regional waf

sgametrio

LGTM

examples/complete/main.tf

variables.tf

sgametrio · 2024-02-22T15:16:08Z

variables.tf

-}
-
-variable "aws_managed_rules_labels" {
+variable "aws_managed_rule_lables" {


Suggested change

variable "aws_managed_rule_lables" {

variable "aws_managed_rule_labels" {

variables.tf

README.md

Co-authored-by: Demetrio Carrara <[email protected]>

FUM-3033-waf-module-refactor

38ab16c

DCamma force-pushed the FUM-3033-waf-module-refactor branch 3 times, most recently from 8755b7b to 8845f86 Compare February 21, 2024 15:39

DCamma added 3 commits February 22, 2024 11:38

FUM-3033 reduce variables, clanup rule priorities

6645bac

fix priorities fix ipv6 list fix-rule-action-override

allow-only-count-block-managed-rule-groups

574f63e

FUM-3033 add challenge and captcha support

93d003b

DCamma force-pushed the FUM-3033-waf-module-refactor branch from f7145e0 to 93d003b Compare February 22, 2024 10:38

FUM-3033 readme

f324794

DCamma force-pushed the FUM-3033-waf-module-refactor branch from e5cba1c to f324794 Compare February 22, 2024 11:34