Ana Sayfa Keşfet Yardım
Üye Ol Giriş Yap
AFS
/
xdr-terraform-modules
2
0
Çatalla 0
Dosyalar Sorunlar 0 Değişiklik İstekleri 0 Wiki
Kaynağa Gözat

Updates Portal WAF to WAF v2

Adds the arn as output to the waf module
Fixes RDS version

To be tagged v2.1.16
Fred Damstra [afs macbook] 3 yıl önce
ebeveyn
fe8ed3cdcf
işleme
842895b4b6
4 değiştirilmiş dosya ile 19 ekleme ve 32 silme
Görünümü Böl Farklılık Durumunu Göster
  1. 1 1
      base/customer_portal/rds.tf
  2. 12 30
      base/customer_portal/waf.tf
  3. 3 0
      submodules/wafv2/outputs.tf
  4. 3 1
      submodules/wafv2/waf.tf

+ 1 - 1
base/customer_portal/rds.tf
Dosyayı Görüntüle 

@@ -24,7 +24,7 @@ resource "aws_db_instance" "postgres" {
 
   deletion_protection         = var.environment == "test" ? "false" : "true"
 
   delete_automated_backups    = "true"
 
   engine                      = "postgres"
 
-  engine_version              = var.environment == "test" ? "12.4" : "10.15"
 
+  engine_version              = var.environment == "test" ? "12.7" : "10.15"
 
   final_snapshot_identifier   = "customerportal"
 
   instance_class              = "db.t2.small"
 
   identifier                  = "customerportal"

+ 12 - 30
base/customer_portal/waf.tf
Dosyayı Görüntüle 

@@ -1,33 +1,15 @@
 
-locals {
 
-  blacklisted_ips = [
 
-    {
 
-      "value" = "172.16.0.0/16"
 
-      type    = "IPV4"
 
-    },
 
-    {
 
-      "value" = "192.168.0.0/16"
 
-      type    = "IPV4"
 
-    },
 
-    {
 
-      "value" = "169.254.0.0/16"
 
-      type    = "IPV4"
 
-    },
 
-    {
 
-      "value" = "127.0.0.1/32"
 
-      type    = "IPV4"
 
-    },
 
-  ]
 
-  waf_prefix = "portal"
 
-}
 
-
 
-module "regional_waf" {
 
-  source             = "../../submodules/waf_owasp_top10"
 
-  waf_prefix         = local.waf_prefix
 
-  blacklisted_ips    = local.blacklisted_ips
 
-  admin_remote_ipset = var.admin_remote_ipset
 
-}
 
+module "waf" {
 
+  source = "../../submodules/wafv2"
 
 
-resource "aws_wafregional_web_acl_association" "portal_alb_waf" {
 
+  # Custom to resource
 
+  allowed_ips = [ ] # bypasses filters, so should not be needed/used unless warranted. We previously did var.admin_remote_ipset, but that seems like a bad idea
 
+  additional_blocked_ips = [ ] # NOTE: There is a standard list in the submodule
 
   resource_arn = aws_alb.portal.arn
 
-  web_acl_id   = module.regional_waf.web_acl_id
 
+  fqdns = keys(module.public_dns_record.forward) # first entry in list will be the WAF name
 
+
 
+  # These are passed through and should be the same for module
 
+  tags = merge(var.standard_tags, var.tags)
 
+  aws_partition = var.aws_partition
 
+  aws_region = var.aws_region
 
+  aws_account_id = var.aws_account_id
 
 }

+ 3 - 0
submodules/wafv2/outputs.tf
Dosyayı Görüntüle 

@@ -0,0 +1,3 @@
 
+output "web_acl_id" {
 
+  value = module.wafv2.web_acl_id
 
+}

+ 3 - 1
submodules/wafv2/waf.tf
Dosyayı Görüntüle 

@@ -129,7 +129,9 @@ module "wafv2" {
 
   # Baseline was from trussworks/wafv2/aws, but copied here to be customized for our use and renumbered.
 
   managed_rules =  [
 
     {
 
-      "excluded_rules": [],
 
+      "excluded_rules": [
 
+        "SizeRestrictions_BODY"  # Breaks too many things
 
+      ],
 
       "name": "AWSManagedRulesCommonRuleSet",
 
       "override_action": "none",
 
       "priority": 510