Browse Source

Updates Portal WAF to WAF v2

Adds the arn as output to the waf module
Fixes RDS version

To be tagged v2.1.16
Fred Damstra [afs macbook] 3 years ago
parent
commit
842895b4b6
4 changed files with 19 additions and 32 deletions
  1. 1 1
      base/customer_portal/rds.tf
  2. 12 30
      base/customer_portal/waf.tf
  3. 3 0
      submodules/wafv2/outputs.tf
  4. 3 1
      submodules/wafv2/waf.tf

+ 1 - 1
base/customer_portal/rds.tf

@@ -24,7 +24,7 @@ resource "aws_db_instance" "postgres" {
   deletion_protection         = var.environment == "test" ? "false" : "true"
   delete_automated_backups    = "true"
   engine                      = "postgres"
-  engine_version              = var.environment == "test" ? "12.4" : "10.15"
+  engine_version              = var.environment == "test" ? "12.7" : "10.15"
   final_snapshot_identifier   = "customerportal"
   instance_class              = "db.t2.small"
   identifier                  = "customerportal"

+ 12 - 30
base/customer_portal/waf.tf

@@ -1,33 +1,15 @@
-locals {
-  blacklisted_ips = [
-    {
-      "value" = "172.16.0.0/16"
-      type    = "IPV4"
-    },
-    {
-      "value" = "192.168.0.0/16"
-      type    = "IPV4"
-    },
-    {
-      "value" = "169.254.0.0/16"
-      type    = "IPV4"
-    },
-    {
-      "value" = "127.0.0.1/32"
-      type    = "IPV4"
-    },
-  ]
-  waf_prefix = "portal"
-}
-
-module "regional_waf" {
-  source             = "../../submodules/waf_owasp_top10"
-  waf_prefix         = local.waf_prefix
-  blacklisted_ips    = local.blacklisted_ips
-  admin_remote_ipset = var.admin_remote_ipset
-}
+module "waf" {
+  source = "../../submodules/wafv2"
 
-resource "aws_wafregional_web_acl_association" "portal_alb_waf" {
+  # Custom to resource
+  allowed_ips = [ ] # bypasses filters, so should not be needed/used unless warranted. We previously did var.admin_remote_ipset, but that seems like a bad idea
+  additional_blocked_ips = [ ] # NOTE: There is a standard list in the submodule
   resource_arn = aws_alb.portal.arn
-  web_acl_id   = module.regional_waf.web_acl_id
+  fqdns = keys(module.public_dns_record.forward) # first entry in list will be the WAF name
+
+  # These are passed through and should be the same for module
+  tags = merge(var.standard_tags, var.tags)
+  aws_partition = var.aws_partition
+  aws_region = var.aws_region
+  aws_account_id = var.aws_account_id
 }

+ 3 - 0
submodules/wafv2/outputs.tf

@@ -0,0 +1,3 @@
+output "web_acl_id" {
+  value = module.wafv2.web_acl_id
+}

+ 3 - 1
submodules/wafv2/waf.tf

@@ -129,7 +129,9 @@ module "wafv2" {
   # Baseline was from trussworks/wafv2/aws, but copied here to be customized for our use and renumbered.
   managed_rules =  [
     {
-      "excluded_rules": [],
+      "excluded_rules": [
+        "SizeRestrictions_BODY"  # Breaks too many things
+      ],
       "name": "AWSManagedRulesCommonRuleSet",
       "override_action": "none",
       "priority": 510