From faa26d82ba3d550683ed342774374d6528b8103f Mon Sep 17 00:00:00 2001 From: olamide Date: Mon, 11 Mar 2024 09:25:11 +0100 Subject: [PATCH] Enable exempt country input option --- aws/ingress/variables.tf | 11 +++++---- aws/waf/main.tf | 50 +++++++++++++++++++++++++++++++++++----- aws/waf/variables.tf | 20 ++++++++-------- 3 files changed, 61 insertions(+), 20 deletions(-) diff --git a/aws/ingress/variables.tf b/aws/ingress/variables.tf index 207d849..c0364be 100644 --- a/aws/ingress/variables.tf +++ b/aws/ingress/variables.tf @@ -159,11 +159,12 @@ variable "waf_aws_managed_rule_groups" { variable "waf_rate_limit" { description = "Applicable if WAF is enabled. Rule statement to track and rate limits requests when they are coming at too fast a rate.. For more details, visit - https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html" type = map(object({ - name = string # Name of the Rate limit rule group - priority = number # Relative processing order for rate limit rule relative to other rules processed by AWS WAF. - limit = optional(number, 2000) # This is the limit on requests from any single IP address within a 5 minute period - count_override = optional(bool, false) # If true, this will override the rule action setting to `count`, if false, the rule action will be set to `block`. Default value is false. - country_list = optional(list(string), []) # List of countries to apply the rate limit to. If populated, from other countries will be ignored by this rule. IF empty, the rule will apply to all traffic. + name = string # Name of the Rate limit rule group + priority = number # Relative processing order for rate limit rule relative to other rules processed by AWS WAF. + limit = optional(number, 2000) # This is the limit on requests from any single IP address within a 5 minute period + count_override = optional(bool, false) # If true, this will override the rule action setting to `count`, if false, the rule action will be set to `block`. Default value is false. + country_list = optional(list(string), []) # List of countries to apply the rate limit to. If populated, from other countries will be ignored by this rule. IF empty, the rule will apply to all traffic. + exempt_country_list = optional(list(string), []) # List of countries to exempt from the rate limit. If populated, the selected countries will be ignored by this rule. IF empty, the rule will apply to all traffic. })) default = { default_rule = { diff --git a/aws/waf/main.tf b/aws/waf/main.tf index f25ccc7..fabf622 100644 --- a/aws/waf/main.tf +++ b/aws/waf/main.tf @@ -37,10 +37,29 @@ resource "aws_wafv2_web_acl" "main" { aggregate_key_type = "IP" dynamic "scope_down_statement" { - for_each = length(rule.value["country_list"]) > 0 ? [1] : [] + for_each = length(concat(rule.value["country_list"], rule.value["exempt_country_list"])) > 0 ? [1] : [] content { - geo_match_statement { - country_codes = rule.value["country_list"] + and_statement { + dynamic "statement" { + for_each = length(rule.value["country_list"]) > 0 ? [1] : [] + content { + geo_match_statement { + country_codes = rule.value["country_list"] + } + } + } + dynamic "statement" { + for_each = length(rule.value["exempt_country_list"]) > 0 ? [1] : [] + content { + not_statement { + statement { + geo_match_statement { + country_codes = rule.value["exempt_country_list"] + } + } + } + } + } } } } @@ -118,10 +137,29 @@ resource "aws_wafv2_web_acl" "main" { vendor_name = "AWS" dynamic "scope_down_statement" { - for_each = length(rule.value["country_list"]) > 0 ? [1] : [] + for_each = length(concat(rule.value["country_list"], rule.value["exempt_country_list"])) > 0 ? [1] : [] content { - geo_match_statement { - country_codes = rule.value["country_list"] + and_statement { + dynamic "statement" { + for_each = length(rule.value["country_list"]) > 0 ? [1] : [] + content { + geo_match_statement { + country_codes = rule.value["country_list"] + } + } + } + dynamic "statement" { + for_each = length(rule.value["exempt_country_list"]) > 0 ? [1] : [] + content { + not_statement { + statement { + geo_match_statement { + country_codes = rule.value["exempt_country_list"] + } + } + } + } + } } } } diff --git a/aws/waf/variables.tf b/aws/waf/variables.tf index 47dbbbc..445264e 100644 --- a/aws/waf/variables.tf +++ b/aws/waf/variables.tf @@ -23,21 +23,23 @@ variable "resource_arn" { variable "aws_managed_rule_groups" { description = "Rule statement values used to run the rules that are defined in a managed rule group. You may review this list for the available AWS managed rule groups - https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html" type = map(object({ - name = string # Name of the Managed rule group - priority = number # Relative processing order for rules processed by AWS WAF. All rules are processed from lowest priority to the highest. - count_override = optional(bool, true) # If true, this will override the rule action setting to `count`, if false, the rule action will be set to `block`. - country_list = optional(list(string), []) # List of countries to apply the managed rule to. If populated, from other countries will be ignored by this rule. IF empty, the rule will apply to all traffic. + name = string # Name of the Managed rule group + priority = number # Relative processing order for rules processed by AWS WAF. All rules are processed from lowest priority to the highest. + count_override = optional(bool, true) # If true, this will override the rule action setting to `count`, if false, the rule action will be set to `block`. + country_list = optional(list(string), []) # List of countries to apply the managed rule to. If populated, from other countries will be ignored by this rule. IF empty, the rule will apply to all traffic. + exempt_country_list = optional(list(string), []) # List of countries to exempt from the managed rule. If populated, the selected countries will be ignored by this rule. IF empty, the rule will apply to all traffic. })) } variable "rate_limit_rules" { description = "Rule statement to track and rate limits requests when they are coming at too fast a rate.. For more details, visit - https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html" type = map(object({ - name = string # Name of the Rate limit rule group - priority = number # Relative processing order for rate limit rule relative to other rules processed by AWS WAF. - limit = optional(number, 2000) # This is the limit on requests from any single IP address within a 5 minute period - count_override = optional(bool, false) # If true, this will override the rule action setting to `count`, if false, the rule action will be set to `block`. Default value is false. - country_list = optional(list(string), []) # List of countries to apply the rate limit to. If populated, from other countries will be ignored by this rule. IF empty, the rule will apply to all traffic. + name = string # Name of the Rate limit rule group + priority = number # Relative processing order for rate limit rule relative to other rules processed by AWS WAF. + limit = optional(number, 2000) # This is the limit on requests from any single IP address within a 5 minute period + count_override = optional(bool, false) # If true, this will override the rule action setting to `count`, if false, the rule action will be set to `block`. Default value is false. + country_list = optional(list(string), []) # List of countries to apply the rate limit to. If populated, from other countries will be ignored by this rule. IF empty, the rule will apply to all traffic. + exempt_country_list = optional(list(string), []) # List of countries to exempt from the rate limit. If populated, the selected countries will be ignored by this rule. IF empty, the rule will apply to all traffic. })) }