Accueil Explorer Aide
S'inscrire Connexion
AFS
/
xdr-terraform-modules
2
0
Fork 0
Fichiers Tickets 0 Pull Requests 0 Wiki
Aborescence: 2431d81450
Branches Tags
xdr-terraform-m...
/
base
/
splunk_servers
/
customer_searchhead
/
waf.tf

waf.tf 2.5 KB
Historique Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768 
  1. module "waf" {
    2. 

  2.   source = "../../../submodules/wafv2"
    3. 

  3. 

  4.   # Custom to resource
    5. 

  5.   allowed_ips            = [] # bypasses filters, so should not be needed/used unless warranted
    6. 

  6.   admin_ips              = concat(local.zscalar_ips, local.admin_ips)
    7. 

  7.   additional_blocked_ips = [] # NOTE: There is a standard list in the submodule
    8. 

  8.   resource_arn           = aws_lb.searchhead-alb.arn
    9. 

  9.   fqdns = concat( # first entry in list will be the WAF name
    10. 

  10.     module.public_dns_record_cust-elb.forward,
    11. 

  11.     # example, to add additional valid hostnames
    12. 

  12.     #    keys(module.public_dns_record_cust-auth-elb.forward),
    13. 

  13.   )
    14. 

  14. 

  15.   excluded_rules_AWSManagedRulesCommonRuleSet = [
    16. 

  16.     "CrossSiteScripting_BODY",
    17. 

  17.     "SizeRestrictions_BODY",
    18. 

  18.     "SizeRestrictions_QUERYSTRING",
    19. 

  19.     "RestrictedExtensions_URIPATH",
    20. 

  20.     "RestrictedExtensions_QUERYARGUMENTS",
    21. 

  21.     "EC2MetaDataSSRF_BODY",
    22. 

  22.     "GenericLFI_BODY",
    23. 

  23.   ]
    24. 

  24.   excluded_rules_AWSManagedRulesSQLiRuleSet = [
    25. 

  25.     "SQLi_QUERYARGUMENTS",
    26. 

  26.     "SQLi_BODY",
    27. 

  27.   ]
    28. 

  28.   excluded_rules_AWSManagedRulesUnixRuleSet = [
    29. 

  29.     "UNIXShellCommandsVariables_BODY",
    30. 

  30.     "UNIXShellCommandsVariables_QUERYARGUMENTS",
    31. 

  31.   ]
    32. 

  32.   excluded_rules_AWSManagedRulesLinuxRuleSet = [
    33. 

  33.     "LFI_QUERYSTRING",
    34. 

  34.   ]
    35. 

  35. 

  36.   # These are passed through and should be the same for module
    37. 

  37.   tags           = merge(local.standard_tags, var.tags)
    38. 

  38.   aws_partition  = var.aws_partition
    39. 

  39.   aws_region     = var.aws_region
    40. 

  40.   aws_account_id = var.aws_account_id
    41. 

  41. }
    42. 

  42. 

  43. # Example: If you want to attach the WAF to an additional ALB
    44. 

  44. #
    45. 

  45. # Share a WAF for both services, should be cheaper due to scale, but can be easily separated out
    46. 

  46. # using the commented section below, if the need arises.
    47. 

  47. 

  48. #resource "aws_wafv2_web_acl_association" "associate-auth-to-waf" {
    49. 

  49. #  resource_arn = aws_lb.searchhead-auth-alb.arn
    50. 

  50. #  web_acl_arn  = module.waf.web_acl_id
    51. 

  51. #}
    52. 

  52. 

  53. # Example: If you want a second WAF, that should be straightforward
    54. 

  54. #module "waf-auth" {
    55. 

  55. #  source = "../../../submodules/wafv2"
    56. 

  56. #
    57. 

  57. #  # Custom to resource
    58. 

  58. #  allowed_ips = [ ] # bypasses filters, so should not be needed/used unless warranted
    59. 

  59. #  additional_blocked_ips = [ ] # NOTE: There is a standard list in the submodule
    60. 

  60. #  resource_arn = aws_lb.searchhead-auth-alb.arn
    61. 

  61. #  fqdns = keys(module.public_dns_record_cust-auth-elb.forward) # first entry in list will be the WAF name
    62. 

  62. #
    63. 

  63. #  # These are passed through and should be the same for module
    64. 

  64. #  tags = merge(local.standard_tags, var.tags)
    65. 

  65. #  aws_partition = var.aws_partition
    66. 

  66. #  aws_region = var.aws_region
    67. 

  67. #  aws_account_id = var.aws_account_id
    68. 

  68. #}
    69.