More waf

Author: LeoDiazL

README.md

@@ -215,16 +215,27 @@ The following inputs can be used as `step.with` keys
 | Name             | Type    | Description                        |
 |------------------|---------|------------------------------------|
 | `aws_waf_enable` | Boolean | Enable WAF for load balancer (LB only - NOT ELB). Default is `false` |
-| `aws_waf_rate_limit` | Number | Blocks IPs that exceed the specified request rate (requests per 5 minutes). Default is `2000` |
-| `aws_waf_managed_rules` | Boolean | Protection against OWASP Top 10 vulnerabilities and requests with known malicious patterns. Default is `true` |
-| `aws_waf_ip_reputation` | Boolean | Blocks requests from known malicious IP addresses. Default is `true` |
-| `aws_waf_logging_enable` | Boolean | Sends WAF logs to CloudWatch for monitoring. Default is `false` |
-| `aws_waf_log_retention_days` | Number | CloudWatch log retention period for WAF logs. Default is `30` |
+| `aws_waf_logging_enable`| Boolean | Enable WAF logging to CloudWatch. Default `false` |
+| `aws_waf_log_retention_days`| Number | CloudWatch log retention period for WAF logs. Default `30` |
+| `aws_waf_rule_rate_limit`| String | Rate limit for WAF rules. Default is `2000` |
+| `aws_waf_rule_managed_rules`| Boolean | Enable common managed rule groups to use. Default `false` |
+| `aws_waf_rule_managed_bad_inputs`| Boolean | Enable managed rule for bad inputs. Default `false` |
+| `aws_waf_rule_ip_reputation`| Boolean | Enable managed rule for IP reputation. Default `false` |
+| `aws_waf_rule_anonymous_ip`| Boolean | Enable managed rule for anonymous IP. Default `false` |
+| `aws_waf_rule_bot_control`| Boolean | Enable managed rule for bot control (costs extra). Default `false` |
+| `aws_waf_rule_geo_block_countries`| String | Comma separated list of countries to block. |
+| `aws_waf_rule_geo_allow_only_countries`| String | Comma separated list of countries to allow. |
+| `aws_waf_rule_sqli`| Boolean | Enable managed rule for SQL injection. Default `false` |
+| `aws_waf_rule_linux`| Boolean | Enable managed rule for Linux. Default `false` |
+| `aws_waf_rule_unix`| Boolean | Enable managed rule for Unix. Default `false` |
+| `aws_waf_rule_admin_protection`| Boolean | Enable managed rule for admin protection. Default `false` |
+| `aws_waf_rule_user_arn`| String | String of the user created ARN set of rules. |
+| `aws_waf_additional_tags`| String | A list of strings that will be added to created resources. Default `"{}"` |
 <hr/>
 <br/>
 
 #### **EFS Inputs**
-| Name             | Type    | Description                        |
+| Name             | Type    | Descrifption                        |
 |------------------|---------|------------------------------------|
 | `aws_efs_create` | Boolean | Toggle to indicate whether to create an EFS volume and mount it to the EC2 instance as a part of the provisioning. Note: The stack will manage the EFS and will be destroyed along with the stack. |
 | `aws_efs_fs_id` | String | ID of existing EFS volume if you wish to use an existing one. |

action.yaml

@@ -282,27 +282,57 @@ inputs:
 
   # AWS WAF
   aws_waf_enable:
-    description: 'Enable WAF for load balancer'
+    description: 'Enable WAF for load balancer.'
     required: false
-  aws_waf_rate_limit:
-    description: 'Rate limit for WAF (requests per 5 minutes)'
+  aws_waf_logging_enable:
+    description: 'Enable WAF logging to CloudWatch.'
     required: false
-  aws_waf_managed_rules:
-    description: 'Enable AWS managed rule sets'
+  aws_waf_log_retention_days:
+    description: 'CloudWatch log retention period for WAF logs.'
     required: false
-  aws_waf_ip_reputation:
-    description: 'Enable IP reputation rule set'
+  aws_waf_rule_rate_limit:
+    description: 'Rate limit for WAF rules.'
     required: false
-  aws_waf_logging_enable:
-    description: 'Enable WAF logging to CloudWatch'
+  aws_waf_rule_managed_rules:
+    description: 'Enable common managed rule groups to use.'
     required: false
-  aws_waf_log_retention_days:
-    description: 'CloudWatch log retention period for WAF logs'
+  aws_waf_rule_managed_bad_inputs:
+    description: 'Enable managed rule for bad inputs.'
+    required: false
+  aws_waf_rule_ip_reputation:
+    description: 'Enable managed rule for IP reputation.'
+    required: false
+  aws_waf_rule_anonymous_ip:
+    description: 'Enable managed rule for anonymous IP.'
+    required: false
+  aws_waf_rule_bot_control:
+    description: 'Enable managed rule for bot control (costs extra).'
+    required: false
+  aws_waf_rule_geo_block_countries:
+    description: 'Comma separated list of countries to block.'
+    required: false
+  aws_waf_rule_geo_allow_only_countries:
+    description: 'Comma separated list of countries to allow.'
+    required: false
+  aws_waf_rule_sqli:
+    description: 'Enable managed rule for SQL injection.'
+    required: false
+  aws_waf_rule_linux:
+    description: 'Enable managed rule for Linux.'
+    required: false
+  aws_waf_rule_unix:
+    description: 'Enable managed rule for Unix.'
+    required: false
+  aws_waf_rule_admin_protection:
+    description: 'Enable managed rule for admin protection.'
+    required: false
+  aws_waf_rule_user_arn:
+    description: 'ARN of the user rule.'
     required: false
   aws_waf_additional_tags:
     description: 'A JSON object of additional tags that will be included on created resources. Example: `{"key1": "value1", "key2": "value2"}`'
     required: false
-  
+
   # AWS EFS
   aws_efs_create: 
     description: 'Toggle to indicate whether to create and EFS and mount it to the ec2 as a part of the provisioning. Note: The EFS will be managed by the stack and will be destroyed along with the stack.'
@@ -1225,12 +1255,22 @@ runs:
 
         # AWS WAF
         AWS_WAF_ENABLE: ${{ inputs.aws_waf_enable }}
-        AWS_WAF_RATE_LIMIT: ${{ inputs.aws_waf_rate_limit }}
-        AWS_WAF_MANAGED_RULES: ${{ inputs.aws_waf_managed_rules }}
-        AWS_WAF_IP_REPUTATION: ${{ inputs.aws_waf_ip_reputation }}
         AWS_WAF_LOGGING_ENABLE: ${{ inputs.aws_waf_logging_enable }}
         AWS_WAF_LOG_RETENTION_DAYS: ${{ inputs.aws_waf_log_retention_days }}
         AWS_WAF_ADDITIONAL_TAGS: ${{ inputs.aws_waf_additional_tags }}
+        AWS_WAF_RULE_RATE_LIMIT: ${{ inputs.aws_waf_rule_rate_limit }}
+        AWS_WAF_RULE_MANAGED_RULES: ${{ inputs.aws_waf_rule_managed_rules }}
+        AWS_WAF_RULE_MANAGED_BAD_INPUTS: ${{ inputs.aws_waf_rule_managed_bad_inputs }}
+        AWS_WAF_RULE_IP_REPUTATION: ${{ inputs.aws_waf_rule_ip_reputation }}
+        AWS_WAF_RULE_ANONYMOUS_IP: ${{ inputs.aws_waf_rule_anonymous_ip }}
+        AWS_WAF_RULE_BOT_CONTROL: ${{ inputs.aws_waf_rule_bot_control }}
+        AWS_WAF_RULE_GEO_BLOCK_COUNTRIES: ${{ inputs.aws_waf_rule_geo_block_countries }}
+        AWS_WAF_RULE_GEO_ALLOW_ONLY_COUNTRIES: ${{ inputs.aws_waf_rule_geo_allow_only_countries }}
+        AWS_WAF_RULE_USER_ARN: ${{ inputs.aws_waf_rule_user_arn }}
+        AWS_WAF_RULE_SQLI: ${{ inputs.aws_waf_rule_sqli }}
+        AWS_WAF_RULE_LINUX: ${{ inputs.aws_waf_rule_linux }}
+        AWS_WAF_RULE_UNIX: ${{ inputs.aws_waf_rule_unix }}
+        AWS_WAF_RULE_ADMIN_PROTECTION: ${{ inputs.aws_waf_rule_admin_protection }}
 
         # AWS EFS
         AWS_EFS_CREATE: ${{ inputs.aws_efs_create }}

operations/_scripts/generate/generate_vars_terraform.sh

@@ -135,12 +135,22 @@ fi
 #-- AWS WAF --#
 if [[ $(alpha_only "$AWS_WAF_ENABLE") == true ]]; then
   aws_waf_enable=$(generate_var aws_waf_enable $AWS_WAF_ENABLE)
-  aws_waf_rate_limit=$(generate_var aws_waf_rate_limit $AWS_WAF_RATE_LIMIT)
-  aws_waf_managed_rules=$(generate_var aws_waf_managed_rules $AWS_WAF_MANAGED_RULES)
-  aws_waf_ip_reputation=$(generate_var aws_waf_ip_reputation $AWS_WAF_IP_REPUTATION)
   aws_waf_logging_enable=$(generate_var aws_waf_logging_enable $AWS_WAF_LOGGING_ENABLE)
   aws_waf_log_retention_days=$(generate_var aws_waf_log_retention_days $AWS_WAF_LOG_RETENTION_DAYS)
   aws_waf_additional_tags=$(generate_var aws_waf_additional_tags $AWS_WAF_ADDITIONAL_TAGS)
+  aws_waf_rule_rate_limit=$(generate_var aws_waf_rule_rate_limit $AWS_WAF_RULE_RATE_LIMIT)
+  aws_waf_rule_managed_rules=$(generate_var aws_waf_rule_managed_rules $AWS_WAF_RULE_MANAGED_RULES)
+  aws_waf_rule_managed_bad_inputs=$(generate_var aws_waf_rule_managed_bad_inputs $AWS_WAF_RULE_MANAGED_BAD_INPUTS)
+  aws_waf_rule_ip_reputation=$(generate_var aws_waf_rule_ip_reputation $AWS_WAF_RULE_IP_REPUTATION)
+  aws_waf_rule_anonymous_ip=$(generate_var aws_waf_rule_anonymous_ip $AWS_WAF_RULE_ANONYMOUS_IP)
+  aws_waf_rule_bot_control=$(generate_var aws_waf_rule_bot_control $AWS_WAF_RULE_BOT_CONTROL)
+  aws_waf_rule_geo_block_countries=$(generate_var aws_waf_rule_geo_block_countries $AWS_WAF_RULE_GEO_BLOCK_COUNTRIES)
+  aws_waf_rule_geo_allow_only_countries=$(generate_var aws_waf_rule_geo_allow_only_countries $AWS_WAF_RULE_GEO_ALLOW_ONLY_COUNTRIES)
+  aws_waf_rule_user_arn=$(generate_var aws_waf_rule_user_arn $AWS_WAF_RULE_USER_ARN)
+  aws_waf_rule_sqli=$(generate_var aws_waf_rule_sqli $AWS_WAF_RULE_SQLI)
+  aws_waf_rule_linux=$(generate_var aws_waf_rule_linux $AWS_WAF_RULE_LINUX)
+  aws_waf_rule_unix=$(generate_var aws_waf_rule_unix $AWS_WAF_RULE_UNIX)
+  aws_waf_rule_admin_protection=$(generate_var aws_waf_rule_admin_protection $AWS_WAF_RULE_ADMIN_PROTECTION)
 fi
 
 #-- AWS EFS --#
@@ -483,12 +493,22 @@ $aws_elb_additional_tags
 
 #-- WAF --#
 $aws_waf_enable
-$aws_waf_rate_limit
-$aws_waf_managed_rules
-$aws_waf_ip_reputation
 $aws_waf_logging_enable
 $aws_waf_log_retention_days
 $aws_waf_additional_tags
+$aws_waf_rule_rate_limit
+$aws_waf_rule_managed_rules
+$aws_waf_rule_managed_bad_inputs
+$aws_waf_rule_ip_reputation
+$aws_waf_rule_anonymous_ip
+$aws_waf_rule_bot_control
+$aws_waf_rule_geo_block_countries
+$aws_waf_rule_geo_allow_only_countries
+$aws_waf_rule_user_arn
+$aws_waf_rule_sqli
+$aws_waf_rule_linux
+$aws_waf_rule_unix
+$aws_waf_rule_admin_protection
 
 #-- EFS --#
 $aws_efs_enable

operations/deployment/terraform/aws/aws_variables.tf

@@ -336,24 +336,6 @@ variable "aws_waf_enable" {
   default     = false
 }
 
-variable "aws_waf_rate_limit" {
-  type        = number
-  description = "Rate limit for WAF (requests per 5 minutes)"
-  default     = 2000
-}
-
-variable "aws_waf_managed_rules" {
-  type        = bool
-  description = "Enable AWS managed rule sets"
-  default     = true
-}
-
-variable "aws_waf_ip_reputation" {
-  type        = bool
-  description = "Enable IP reputation rule set"
-  default     = true
-}
-
 variable "aws_waf_logging_enable" {
   type        = bool
   description = "Enable WAF logging to CloudWatch"
@@ -372,6 +354,84 @@ variable "aws_waf_additional_tags" {
   default     = "{}"
 }
 
+variable "aws_waf_rule_rate_limit" {
+  type        = string
+  description = "Rate limit for WAF rules"
+  default     = "2000"
+}
+
+variable "aws_waf_rule_managed_rules" {
+  type        = bool
+  description = "Enable common managed rule groups to use"
+  default     = false
+}
+
+variable "aws_waf_rule_managed_bad_inputs" {
+  type        = bool
+  description = "Enable managed rule for bad inputs"
+  default     = false
+}
+
+variable "aws_waf_rule_ip_reputation" {
+  type        = bool
+  description = "Enable managed rule for IP reputation"
+  default     = false
+}
+
+variable "aws_waf_rule_anonymous_ip" {
+  type        = bool
+  description = "Enable managed rule for anonymous IP"
+  default     = false
+}
+
+variable "aws_waf_rule_bot_control" {
+  type        = bool
+  description = "Enable managed rule for bot control (costs extra)"
+  default     = false
+}
+
+variable "aws_waf_rule_geo_block_countries" {
+  type        = string
+  description = "Comma separated list of countries to block"
+  default     = ""
+}
+
+variable "aws_waf_rule_geo_allow_only_countries" {
+  type        = string
+  description = "Comma separated list of countries to allow"
+  default     = ""
+}
+
+variable "aws_waf_rule_sqli" {
+  type        = bool
+  description = "Enable managed rule for SQL injection"
+  default     = false
+}
+
+variable "aws_waf_rule_linux" {
+  type        = bool
+  description = "Enable managed rule for Linux"
+  default     = false
+}
+
+variable "aws_waf_rule_unix" {
+  type        = bool
+  description = "Enable managed rule for Unix"
+  default     = false
+}
+
+variable "aws_waf_rule_admin_protection" {
+  type        = bool
+  description = "Enable managed rule for admin protection"
+  default     = false
+}
+
+variable "aws_waf_rule_user_arn" {
+  type        = string
+  description = "ARN of the user rule"
+  default     = ""
+}
+
 # AWS EFS
 
 ### This variable is hidden for the end user. Is built in deploy.sh based on the next 3 variables. 

operations/deployment/terraform/aws/bitovi_main.tf

@@ -572,16 +572,27 @@ module "aws_waf_ecs" {
   source = "../modules/aws/waf"
   count  = var.aws_waf_enable && var.aws_ecs_enable ? 1 : 0
   aws_waf_enable             = var.aws_waf_enable
-  aws_waf_rate_limit         = var.aws_waf_rate_limit
-  aws_waf_managed_rules      = var.aws_waf_managed_rules
-  aws_waf_ip_reputation      = var.aws_waf_ip_reputation
-  aws_lb_resource_arn        = module.aws_ecs[0].load_balancer_arn
   aws_waf_logging_enable     = var.aws_waf_logging_enable
   aws_waf_log_retention_days = var.aws_waf_log_retention_days
   aws_resource_identifier    = var.aws_resource_identifier
+  # Rules
+  aws_waf_rule_rate_limit               = var.aws_waf_rule_rate_limit
+  aws_waf_rule_managed_rules            = var.aws_waf_rule_managed_rules
+  aws_waf_rule_managed_bad_inputs       = var.aws_waf_rule_managed_bad_inputs
+  aws_waf_rule_ip_reputation            = var.aws_waf_rule_ip_reputation
+  aws_waf_rule_anonymous_ip             = var.aws_waf_rule_anonymous_ip
+  aws_waf_rule_bot_control              = var.aws_waf_rule_bot_control
+  aws_waf_rule_geo_block_countries      = var.aws_waf_rule_geo_block_countries
+  aws_waf_rule_geo_allow_only_countries = var.aws_waf_rule_geo_allow_only_countries
+  aws_waf_rule_user_arn                 = var.aws_waf_rule_user_arn
+  aws_waf_rule_sqli                     = var.aws_waf_rule_sqli
+  aws_waf_rule_linux                    = var.aws_waf_rule_linux
+  aws_waf_rule_unix                     = var.aws_waf_rule_unix
+  aws_waf_rule_admin_protection         = var.aws_waf_rule_admin_protection
+  # Incoming
+  aws_lb_resource_arn = module.aws_ecs[0].load_balancer_arn
   # Others
-  #fqdn_provided              = local.fqdn_provided
-  depends_on = [ module.aws_certificates,module.aws_ecs ]
+  depends_on = [ module.aws_ecs ]
   providers = {
     aws = aws.waf
   }