Skip to content

Commit

Permalink
Enable exempt country input option
Browse files Browse the repository at this point in the history
  • Loading branch information
olamide committed Mar 11, 2024
1 parent a8edaa2 commit faa26d8
Show file tree
Hide file tree
Showing 3 changed files with 61 additions and 20 deletions.
11 changes: 6 additions & 5 deletions aws/ingress/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -159,11 +159,12 @@ variable "waf_aws_managed_rule_groups" {
variable "waf_rate_limit" {
description = "Applicable if WAF is enabled. Rule statement to track and rate limits requests when they are coming at too fast a rate.. For more details, visit - https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html"
type = map(object({
name = string # Name of the Rate limit rule group
priority = number # Relative processing order for rate limit rule relative to other rules processed by AWS WAF.
limit = optional(number, 2000) # This is the limit on requests from any single IP address within a 5 minute period
count_override = optional(bool, false) # If true, this will override the rule action setting to `count`, if false, the rule action will be set to `block`. Default value is false.
country_list = optional(list(string), []) # List of countries to apply the rate limit to. If populated, from other countries will be ignored by this rule. IF empty, the rule will apply to all traffic.
name = string # Name of the Rate limit rule group
priority = number # Relative processing order for rate limit rule relative to other rules processed by AWS WAF.
limit = optional(number, 2000) # This is the limit on requests from any single IP address within a 5 minute period
count_override = optional(bool, false) # If true, this will override the rule action setting to `count`, if false, the rule action will be set to `block`. Default value is false.
country_list = optional(list(string), []) # List of countries to apply the rate limit to. If populated, from other countries will be ignored by this rule. IF empty, the rule will apply to all traffic.
exempt_country_list = optional(list(string), []) # List of countries to exempt from the rate limit. If populated, the selected countries will be ignored by this rule. IF empty, the rule will apply to all traffic.
}))
default = {
default_rule = {
Expand Down
50 changes: 44 additions & 6 deletions aws/waf/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,10 +37,29 @@ resource "aws_wafv2_web_acl" "main" {
aggregate_key_type = "IP"

dynamic "scope_down_statement" {
for_each = length(rule.value["country_list"]) > 0 ? [1] : []
for_each = length(concat(rule.value["country_list"], rule.value["exempt_country_list"])) > 0 ? [1] : []
content {
geo_match_statement {
country_codes = rule.value["country_list"]
and_statement {
dynamic "statement" {
for_each = length(rule.value["country_list"]) > 0 ? [1] : []
content {
geo_match_statement {
country_codes = rule.value["country_list"]
}
}
}
dynamic "statement" {
for_each = length(rule.value["exempt_country_list"]) > 0 ? [1] : []
content {
not_statement {
statement {
geo_match_statement {
country_codes = rule.value["exempt_country_list"]
}
}
}
}
}
}
}
}
Expand Down Expand Up @@ -118,10 +137,29 @@ resource "aws_wafv2_web_acl" "main" {
vendor_name = "AWS"

dynamic "scope_down_statement" {
for_each = length(rule.value["country_list"]) > 0 ? [1] : []
for_each = length(concat(rule.value["country_list"], rule.value["exempt_country_list"])) > 0 ? [1] : []
content {
geo_match_statement {
country_codes = rule.value["country_list"]
and_statement {
dynamic "statement" {
for_each = length(rule.value["country_list"]) > 0 ? [1] : []
content {
geo_match_statement {
country_codes = rule.value["country_list"]
}
}
}
dynamic "statement" {
for_each = length(rule.value["exempt_country_list"]) > 0 ? [1] : []
content {
not_statement {
statement {
geo_match_statement {
country_codes = rule.value["exempt_country_list"]
}
}
}
}
}
}
}
}
Expand Down
20 changes: 11 additions & 9 deletions aws/waf/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,21 +23,23 @@ variable "resource_arn" {
variable "aws_managed_rule_groups" {
description = "Rule statement values used to run the rules that are defined in a managed rule group. You may review this list for the available AWS managed rule groups - https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html"
type = map(object({
name = string # Name of the Managed rule group
priority = number # Relative processing order for rules processed by AWS WAF. All rules are processed from lowest priority to the highest.
count_override = optional(bool, true) # If true, this will override the rule action setting to `count`, if false, the rule action will be set to `block`.
country_list = optional(list(string), []) # List of countries to apply the managed rule to. If populated, from other countries will be ignored by this rule. IF empty, the rule will apply to all traffic.
name = string # Name of the Managed rule group
priority = number # Relative processing order for rules processed by AWS WAF. All rules are processed from lowest priority to the highest.
count_override = optional(bool, true) # If true, this will override the rule action setting to `count`, if false, the rule action will be set to `block`.
country_list = optional(list(string), []) # List of countries to apply the managed rule to. If populated, from other countries will be ignored by this rule. IF empty, the rule will apply to all traffic.
exempt_country_list = optional(list(string), []) # List of countries to exempt from the managed rule. If populated, the selected countries will be ignored by this rule. IF empty, the rule will apply to all traffic.
}))
}

variable "rate_limit_rules" {
description = "Rule statement to track and rate limits requests when they are coming at too fast a rate.. For more details, visit - https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html"
type = map(object({
name = string # Name of the Rate limit rule group
priority = number # Relative processing order for rate limit rule relative to other rules processed by AWS WAF.
limit = optional(number, 2000) # This is the limit on requests from any single IP address within a 5 minute period
count_override = optional(bool, false) # If true, this will override the rule action setting to `count`, if false, the rule action will be set to `block`. Default value is false.
country_list = optional(list(string), []) # List of countries to apply the rate limit to. If populated, from other countries will be ignored by this rule. IF empty, the rule will apply to all traffic.
name = string # Name of the Rate limit rule group
priority = number # Relative processing order for rate limit rule relative to other rules processed by AWS WAF.
limit = optional(number, 2000) # This is the limit on requests from any single IP address within a 5 minute period
count_override = optional(bool, false) # If true, this will override the rule action setting to `count`, if false, the rule action will be set to `block`. Default value is false.
country_list = optional(list(string), []) # List of countries to apply the rate limit to. If populated, from other countries will be ignored by this rule. IF empty, the rule will apply to all traffic.
exempt_country_list = optional(list(string), []) # List of countries to exempt from the rate limit. If populated, the selected countries will be ignored by this rule. IF empty, the rule will apply to all traffic.
}))
}

Expand Down

0 comments on commit faa26d8

Please sign in to comment.