-
Notifications
You must be signed in to change notification settings - Fork 0
/
waf-rulegroup-owasp.tf
88 lines (85 loc) · 2.76 KB
/
waf-rulegroup-owasp.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
## WAF Rule Groups
/**/
locals {
owasp_rules_tmp = distinct([
local.is_owasp_auth_tokens_enabled == 1 ?
{
action = var.rule_owasp_auth_tokens_action,
priority = var.rule_owasp_auth_tokens_priority,
id = aws_waf_rule.owasp_auth_tokens.0.id
} : {},
local.is_owasp_csrf_enabled == 1 ?
{
action = var.rule_owasp_csrf_action,
priority = var.rule_owasp_csrf_priority,
id = aws_waf_rule.owasp_csrf.0.id
} : {},
local.is_owasp_injection_sql_enabled == 1 ?
{
action = var.rule_owasp_injection_sql_action,
priority = var.rule_owasp_injection_sql_priority,
id = aws_waf_rule.owasp_injection_sql.0.id
} : {},
local.is_owasp_path_traversal_enabled == 1 ?
{
action = var.rule_owasp_path_traversal_action,
priority = var.rule_owasp_path_traversal_priority,
id = aws_waf_rule.owasp_path_traversal.0.id
} : {},
local.is_owasp_php_enabled == 1 ?
{
action = var.rule_owasp_php_action,
priority = var.rule_owasp_php_priority,
id = aws_waf_rule.owasp_php.0.id
} : {},
local.is_owasp_size_restriction_enabled == 1 ?
{
action = var.rule_owasp_size_restriction_action,
priority = var.rule_owasp_size_restriction_priority,
id = aws_waf_rule.owasp_size_restriction.0.id
} : {},
local.is_owasp_ssi_enabled == 1 ?
{
action = var.rule_owasp_ssi_action,
priority = var.rule_owasp_ssi_priority,
id = aws_waf_rule.owasp_ssi.0.id
} : {},
local.is_owasp_xss_enabled == 1 ?
{
action = var.rule_owasp_xss_action,
priority = var.rule_owasp_xss_priority,
id = aws_waf_rule.owasp_xss.0.id
} : {},
])
owasp_rules = setsubtract(local.owasp_rules_tmp, [{}])
}
resource "aws_waf_rule_group" "owasp_top_10" {
depends_on = [
aws_waf_rule.owasp_auth_tokens,
aws_waf_rule.owasp_csrf,
aws_waf_rule.owasp_injection_sql,
aws_waf_rule.owasp_path_traversal,
aws_waf_rule.owasp_php,
aws_waf_rule.owasp_size_restriction,
aws_waf_rule.owasp_ssi,
aws_waf_rule.owasp_xss,
]
count = var.create_rule_group_owasp ? 1 : 0
name = format("%s-owasp-top-10-%s", lower(var.waf_prefix), random_id.this.0.hex)
metric_name = format("%sOWASPTop10%s", lower(var.waf_prefix), random_id.this.0.hex)
# TODO: add replace for invalid chars
dynamic "activated_rule" {
iterator = rule
for_each = local.owasp_rules
content {
action {
type = rule.value["action"]
}
priority = rule.value["priority"]
rule_id = rule.value["id"]
type = "REGULAR"
}
}
tags = local.tags
}
/**/