AFS
/
xdr-terraform-modules


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355
							# trussworks/wafv2/aws has a basic WAF with the AWS Managed Ruleset
# See https://registry.terraform.io/modules/trussworks/wafv2/aws/latest
#
# Attempted to add some sane defaults so we can customize as needed
#
# IMPORTANT NOTES:
#   An 'Allow' action stops processing immediately. Avoid them!

# Goals:
#  - US IPs only  -  https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-geo-match.html

locals {
  waf_name = replace(var.fqdns[0], ".", "_")
}

resource "aws_wafv2_ip_set" "blocked" {
  name = "${local.waf_name}_blocked_ips"

  scope              = "REGIONAL"
  ip_address_version = "IPV4"

  addresses = toset(concat(var.additional_blocked_ips, local.blocked_ips))

  lifecycle {
    create_before_destroy = true
  }
}

resource "aws_wafv2_ip_set" "allowed" {
  name = "${local.waf_name}_allowed_ips"

  scope              = "REGIONAL"
  ip_address_version = "IPV4"

  addresses = var.allowed_ips

  lifecycle {
    create_before_destroy = true
  }
}

resource "aws_wafv2_rule_group" "xdr_custom_rules" {
  name = "${local.waf_name}_xdr_custom_rules_rev3" # update name when updating
  scope    = "REGIONAL"
  capacity = 60

  # Note, there is visibilty config for the group and for the rule
  visibility_config {
    cloudwatch_metrics_enabled = true
    metric_name                = "${local.waf_name}_xdr_custom_rules"
    #metric_name                = "xdr_custom_rules"
    sampled_requests_enabled   = true
  }

  rule {
    name = "Block_Nonpermitted_Countries"
    priority = 100

    action {
      block {}
    }

    statement {
      not_statement {
        statement {
          geo_match_statement {
            country_codes = [
              "US",
              "DE",
            ]
          }
        }
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "Block_Nonpermitted_Countries"
      sampled_requests_enabled   = true
    }

#    rule_label {
#      name = "xdr_custom:nonpermittedcountry"
#    }
  }

#  rule {
#    name = "Block_log4j_Exploit_20211210"
#    action {
#      block {}
#    }
#    priority = 110
#
#    #rule_label {
#    #  name = "xdr_custom:log4j"
#    #}
#
#    visibility_config {
#      cloudwatch_metrics_enabled = true
#      metric_name                = "Block_Log4j_exploit_20211210"
#      sampled_requests_enabled   = true
#    }
#
#    statement {
#      or_statement {
#        statement {
#          byte_match_statement {
#            field_to_match {
#              single_header {
#                name = "user-agent"
#              }
#            }
#            positional_constraint = "STARTS_WITH"
#            search_string = "$${jndi:" # ldap://"
#
#            text_transformation {
#              priority = 1
#              type     = "BASE64_DECODE"
#            }
#
#            #text_transformation {
#            #  priority = 3
#            #  type     = "HEX_DECODE"
#            #}
#
#            text_transformation {
#              priority = 5
#              type     = "LOWERCASE"
#            }
#          }
#        }
#
##        statement {
##          byte_match_statement {
##            field_to_match {
##              method {}
##            }
##            positional_constraint = "STARTS_WITH"
##            search_string = "$${jndi:" # ldap://"
##
##            text_transformation {
##              priority = 1
##              type     = "BASE64_DECODE"
##            }
##
##            text_transformation {
##              priority = 3
##              type     = "HEX_DECODE"
##            }
##
##            text_transformation {
##              priority = 5
##              type     = "LOWERCASE"
##            }
##          }
##        }
##
##        statement {
##          byte_match_statement {
##            field_to_match {
##              query_string {}
##            }
##            positional_constraint = "CONTAINS"
##            search_string = "$${jndi:" # ldap://"
##
##            text_transformation {
##              priority = 1
##              type     = "BASE64_DECODE"
##            }
##
##            #text_transformation {
##            #  priority = 3
##            #  type     = "HEX_DECODE"
##            #}
##
##            text_transformation {
##              priority = 5
##              type     = "LOWERCASE"
##            }
##          }
##        }
#
#        statement {
#          byte_match_statement {
#            field_to_match {
#              uri_path {}
#            }
#            positional_constraint = "CONTAINS"
#            search_string = "$${jndi:" # ldap://"
#
#            text_transformation {
#              priority = 1
#              type     = "BASE64_DECODE"
#            }
#
#            #text_transformation {
#            #  priority = 3
#            #  type     = "HEX_DECODE"
#            #}
#
#            text_transformation {
#              priority = 5
#              type     = "LOWERCASE"
#            }
#          }
#        }
#      }  
#    }
#  }
  # Add additional custom rules here

  lifecycle {
    create_before_destroy = true
  }
}

module "wafv2" {
  source = "trussworks/wafv2/aws"
  version = "= 2.4.0"

  name   = local.waf_name
  scope = "REGIONAL"

  alb_arn       = var.resource_arn
  associate_alb = true
  default_action = "block" # Note: The final action is actually to 'allow', provided the host header is correct

  filtered_header_rule = {
    header_types = var.fqdns
    header_value = "host"
    priority     = 900
    action       = "allow"
  }

  # IP based rules are processed first. 
  # If an IP is blocked, it is blocked no matter what.
  # If an IP is allowed, it is allowed only if it's not blocked, but no other WAF rules are processed.
  ip_sets_rule = [
    {
      name       = "blocked_ips"
      action     = "block"
      priority   = 10
      ip_set_arn = aws_wafv2_ip_set.blocked.arn
    },
    {
      name       = "allowed_ips"
      action     = "allow"
      priority   = 20
      ip_set_arn = aws_wafv2_ip_set.allowed.arn
    }
  ]

  # Custom Rules are defined above
  group_rules = [
    {
      name            = aws_wafv2_rule_group.xdr_custom_rules.name
      arn             = aws_wafv2_rule_group.xdr_custom_rules.arn
      priority        = 100
      override_action = "none"
      excluded_rules  = []
    }
  ]

  # A rate-based rule tracks the rate of requests for each originating IP address, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span
  # Because of zscalar, this is completely ineffective for us.
  #ip_rate_based_rule = {
  #  name     = "Rate_Limit"
  #  priority = 200
  #  limit    = 3000 # 6000 requests per 5 minutes= 10 requests/second (sustained for 5 minutes)
  #  action   = "block"
  #}

  # AWS managed rulesets
  # Baseline was from trussworks/wafv2/aws, but copied here to be customized for our use and renumbered.
  managed_rules =  [
    {
      "excluded_rules": var.excluded_rules_AWSManagedRulesCommonRuleSet,
      "name": "AWSManagedRulesCommonRuleSet",
      "override_action": "none",
      "priority": 510
    },
    {
      "excluded_rules": var.excluded_rules_AWSManagedRulesAmazonIpReputationList,
      "name": "AWSManagedRulesAmazonIpReputationList",
      "override_action": "none",
      "priority": 520
    },
    {
      "excluded_rules": var.excluded_rules_AWSManagedRulesKnownBadInputsRuleSet,
      "name": "AWSManagedRulesKnownBadInputsRuleSet",
      "override_action": "none",
      "priority": 530
    },
    {
      "excluded_rules": var.excluded_rules_AWSManagedRulesSQLiRuleSet,
      "name": "AWSManagedRulesSQLiRuleSet",
      "override_action": "none",
      "priority": 540
    },
    {
      "excluded_rules": var.excluded_rules_AWSManagedRulesLinuxRuleSet,
      "name": "AWSManagedRulesLinuxRuleSet",
      "override_action": "none",
      "priority": 550
    },
    {
      "excluded_rules": var.excluded_rules_AWSManagedRulesUnixRuleSet,
      "name": "AWSManagedRulesUnixRuleSet",
      "override_action": "none",
      "priority": 560
    }
  ]

  depends_on = [ aws_wafv2_rule_group.xdr_custom_rules ]
  tags = var.tags
}

resource "aws_wafv2_web_acl_logging_configuration" "waf_logs" {
  log_destination_configs = [ "arn:${var.aws_partition}:firehose:${var.aws_region}:${var.aws_account_id}:deliverystream/aws-waf-logs-splunk" ]
  resource_arn            = module.wafv2.web_acl_id

#  logging_filter {
#    default_behavior = "KEEP"
#
#    filter {
#      behavior = "DROP"
#
#      condition {
#        action_condition {
#          action = "COUNT"
#        }
#      }
#
#      condition {
#        label_name_condition {
#          label_name = "awswaf:111122223333:rulegroup:testRules:LabelNameZ"
#        }
#      }
#
#      requirement = "MEETS_ALL"
#    }
#
#    filter {
#      behavior = "KEEP"
#
#      condition {
#        action_condition {
#          action = "ALLOW"
#        }
#      }
#
#      requirement = "MEETS_ANY"
#    }
#  }
}