forked from aws-samples/aws-waf-firewall-manager-terraform
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy path1-fwm-global-webacl.tf
101 lines (96 loc) · 3.81 KB
/
1-fwm-global-webacl.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
#
# Copyright Amazon.com, Inc. and its affiliates. All Rights Reserved.
# SPDX-License-Identifier: MIT
#
# Licensed under the MIT License. See the LICENSE accompanying this file
# for the specific language governing permissions and limitations under
# the License.
#
#Edge Network WAF
#check https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html
# AWS managed rules Core Rule Set, geographical location (custom), AWS Managed IP reputation, AWS managed anonymous IP*, knwon bad inputs set, ip block/allow set (custom)
#------------------------Please customize with YOUR rules--------------------
resource "aws_fms_policy" "NonProdCFrontPolicy_global" {
count = var.create_global_fms_waf_policy ? 1 : 0
provider = aws.global
name = var.global_policy_name
exclude_resource_tags = var.global_policy_exclude_resource_tags
remediation_enabled = var.global_policy_remediation_enabled
resource_type = "AWS::CloudFront::Distribution"
include_map {
orgunit = var.global_policy_orgunit_list
}
resource_tags = length(var.global_policy_resource_tags) == 0 ? null : var.global_policy_resource_tags
security_service_policy_data {
type = "WAFV2"
managed_service_data = jsonencode({
type = "WAFV2",
preProcessRuleGroups = [
{
managedRuleGroupIdentifier = {
vendorName = "AWS",
managedRuleGroupName = "AWSManagedRulesAmazonIpReputationList"
},
ruleGroupType = "ManagedRuleGroup",
ruleGroupArn = null,
overrideAction = {
type = "NONE"
} },
{
managedRuleGroupIdentifier = {
vendorName = "AWS",
managedRuleGroupName = "AWSManagedRulesCommonRuleSet"
},
ruleGroupType = "ManagedRuleGroup",
ruleGroupArn = null,
overrideAction = {
type = "NONE"
} },
{
managedRuleGroupIdentifier = {
vendorName = "AWS",
managedRuleGroupName = "AWSManagedRulesKnownBadInputsRuleSet"
},
ruleGroupType = "ManagedRuleGroup",
ruleGroupArn = null,
overrideAction = {
type = "NONE"
} },
{
managedRuleGroupIdentifier = {
vendorName = "AWS",
managedRuleGroupName = "AWSManagedRulesAdminProtectionRuleSet"
},
ruleGroupType = "ManagedRuleGroup",
ruleGroupArn = null,
overrideAction = {
type = "NONE"
} },
{
managedRuleGroupIdentifier = {
vendorName = "AWS",
managedRuleGroupName = "AWSManagedRulesBotControlRuleSet"
},
ruleGroupType = "ManagedRuleGroup",
ruleGroupArn = null,
overrideAction = {
type = "COUNT"
} },
{
ruleGroupType = "RuleGroup",
ruleGroupArn = aws_cloudformation_stack.aws_waf_rulegroup_ratebased.outputs["RuleGorupARN"],
overrideAction = {
type = "NONE"
} }],
postProcessRuleGroups = [],
overrideCustomerWebACLAssociation = var.global_policy_overrideCustomerWebACLAssociation,
defaultAction = {
type = var.global_policy_default_action
},
ruleGroups = [],
loggingConfiguration = {
logDestinationConfigs = var.logging_option == "option1" ? [aws_kinesis_firehose_delivery_stream.WAFKinesisFirehose_global[0].arn] : var.logging_option == "option2" ? aws_cloudformation_stack.dashboards_private_kinesis_global[0].outputs["KinesisFirehoseDeliveryStreamArn"] : var.logging_option == "option3" ? aws_cloudformation_stack.dashboards-option3-global[0].outputs["KinesisFirehoseDeliveryStreamArn"] : null
}
})
}
}