Add ALB and WAF

README.md

@@ -56,7 +56,8 @@ jobs:
 1. [EC2](#ec2-inputs)
 1. [VPC](#vpc-inputs)
 1. [AWS Route53 Domains and Certificates](#aws-route53-domains-and-certificate-inputs)
-1. [Load Balancer](#load-balancer-inputs)
+1. [Load Balancer](#load-balancer-inputs-classic-elb)
+1. [Application Load Balancer Inputs (ALB)](#application-load-balancer-inputs-alb)
 1. [WAF](#waf)
 1. [EFS](#efs-inputs)
 1. [RDS](#rds-inputs)
@@ -195,7 +196,7 @@ The following inputs can be used as `step.with` keys
 <hr/>
 <br/>
 
-#### **Load Balancer Inputs**
+#### **Load Balancer Inputs (Classic ELB)**
 | Name             | Type    | Description                        |
 |------------------|---------|------------------------------------|
 | `aws_elb_create` | Boolean | Toggles the creation of a load balancer and map ports to the EC2 instance. Defaults to `false`.|
@@ -211,25 +212,56 @@ The following inputs can be used as `step.with` keys
 <hr/>
 <br/>
 
+#### **Application Load Balancer Inputs (ALB)**
+| Name             | Type    | Description                        |
+|------------------|---------|------------------------------------|
+| `aws_alb_create` | Boolean | Global toggle for ALB creation. Defaults to `false` |
+| `aws_alb_security_group_name` | String | Name of the security group to use for ALB. Defaults to `SG for ${aws_resource_identifier} - ALB`|
+| `aws_alb_app_port` | String | Comma-separated list of application ports for ALB target group. If none defined, will use `aws_alb_listen_port` ones. |
+| `aws_alb_app_protocol` | String | Comma-separated list of protocols for ALB target group (HTTP/HTTPS). Defaults to `HTTP`. |
+| `aws_alb_listen_port` | String | Comma-separated list of listener ports for ALB. Depending on certificate, defaults to `80` or `443`. |
+| `aws_alb_listen_protocol` | String | Comma-separated list of listener protocols for ALB (HTTP/HTTPS). Defaults to Depending on certificate, defaults to `HTTP` or `HTTPS`. |
+| `aws_alb_redirect_enable` | Boolean | Enable HTTP to HTTPS redirection on ALB. Defaults to `false` |
+| `aws_alb_www_to_apex_redirect` | Boolean | Enable www to apex domain redirection on ALB. Defaults to `false` |
+| `aws_alb_healthcheck_path` | String | Health check path for ALB target group. Defaults to `"/"` |
+| `aws_alb_healthcheck_protocol` | String | Health check protocol for ALB target group. Defaults to `"HTTP"` |
+| `aws_alb_ssl_policy` | String | SSL policy for HTTPS listeners. More [here](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/describe-ssl-policies.html) |
+| `aws_alb_additional_tags`| String | A list of strings that will be added to created resources. Example: `{"key1": "value1", "key2": "value2"}`. Default `"{}"` |
+<hr/>
+<br/>
+
 #### **WAF**
 | Name             | Type    | Description                        |
 |------------------|---------|------------------------------------|
 | `aws_waf_enable` | Boolean | Enable WAF for load balancer (LB only - NOT ELB). Default is `false` |
 | `aws_waf_logging_enable`| Boolean | Enable WAF logging to CloudWatch. Default `false` |
 | `aws_waf_log_retention_days`| Number | CloudWatch log retention period for WAF logs. Default `30` |
-| `aws_waf_rule_rate_limit`| String | Rate limit for WAF rules. Default is `2000` |
-| `aws_waf_rule_managed_rules`| Boolean | Enable common managed rule groups to use. Default `false` |
-| `aws_waf_rule_managed_bad_inputs`| Boolean | Enable managed rule for bad inputs. Default `false` |
-| `aws_waf_rule_ip_reputation`| Boolean | Enable managed rule for IP reputation. Default `false` |
-| `aws_waf_rule_anonymous_ip`| Boolean | Enable managed rule for anonymous IP. Default `false` |
-| `aws_waf_rule_bot_control`| Boolean | Enable managed rule for bot control (costs extra). Default `false` |
-| `aws_waf_rule_geo_block_countries`| String | Comma separated list of countries to block. |
-| `aws_waf_rule_geo_allow_only_countries`| String | Comma separated list of countries to allow. |
-| `aws_waf_rule_sqli`| Boolean | Enable managed rule for SQL injection. Default `false` |
-| `aws_waf_rule_linux`| Boolean | Enable managed rule for Linux. Default `false` |
-| `aws_waf_rule_unix`| Boolean | Enable managed rule for Unix. Default `false` |
-| `aws_waf_rule_admin_protection`| Boolean | Enable managed rule for admin protection. Default `false` |
-| `aws_waf_rule_user_arn`| String | String of the user created ARN set of rules. |
+| `aws_waf_rule_rate_limit`| String | Rate limit for WAF rules. Default is `2000`. |
+| `aws_waf_rule_rate_limit_priority` | Number | Priority for rate limit rule. Defaults to `10`. |
+| `aws_waf_rule_managed_rules` | Boolean | Enable common managed rule groups to use. Defaults to `false`. |
+| `aws_waf_rule_managed_rules_priority` | Number | Priority for managed rules. Defaults to `20`. |
+| `aws_waf_rule_managed_bad_inputs` | Boolean | Enable managed rule for bad inputs. Defaults to `false`. |
+| `aws_waf_rule_managed_bad_inputs_priority` | Number | Priority for bad inputs rule. Defaults to `30`. |
+| `aws_waf_rule_ip_reputation` | Boolean | Enable managed rule for IP reputation. Defaults to `false`. |
+| `aws_waf_rule_ip_reputation_priority`  | Number | Priority for IP reputation rule. Defaults to `40`. |
+| `aws_waf_rule_anonymous_ip`  | Boolean | Enable managed rule for anonymous IP. Defaults to `false`. |
+| `aws_waf_rule_anonymous_ip_priority` | Number | Priority for anonymous IP rule. Defaults to `50`. |
+| `aws_waf_rule_bot_control` | Boolean | Enable managed rule for bot control (costs extra). Defaults to `false`. |
+| `aws_waf_rule_bot_control_priority`  | Number | Priority for bot control rule. Defaults to `60`. |
+| `aws_waf_rule_geo_block_countries` | String | Comma separated list of countries to block. Defaults to ``. |
+| `aws_waf_rule_geo_block_countries_priority`  | Number | Priority for geo block countries rule. Defaults to `70`. |
+| `aws_waf_rule_geo_allow_only_countries`  | String | Comma separated list of countries to allow. Defaults to ``. |
+| `aws_waf_rule_geo_allow_only_countries_priority` | Number | Priority for geo allow only countries rule. Defaults to `75`. |
+| `aws_waf_rule_sqli`  | Boolean | Enable managed rule for SQL injection. Defaults to `false`. |
+| `aws_waf_rule_sqli_priority` | Number | Priority for SQL injection rule. Defaults to `85`. |
+| `aws_waf_rule_linux` | Boolean | Enable managed rule for Linux. Defaults to `false`. |
+| `aws_waf_rule_linux_priority`  | Number | Priority for Linux rule. Defaults to `90`. |
+| `aws_waf_rule_unix`  | Boolean | Enable managed rule for Unix. Defaults to `false`. |
+| `aws_waf_rule_unix_priority` | Number | Priority for Unix rule. Defaults to `95`. |
+| `aws_waf_rule_admin_protection`  | Boolean | Enable managed rule for admin protection. Defaults to `false`. |
+| `aws_waf_rule_admin_protection_priority` | Number | Priority for admin protection rule. Defaults to `100`. |
+| `aws_waf_rule_user_arn` | String | ARN of the user rule. Defaults to ``. |
+| `aws_waf_rule_user_arn_priority` | Number | Priority for user ARN rule. Defaults to `80`. |
 | `aws_waf_additional_tags`| String | A list of strings that will be added to created resources. Default `"{}"` |
 <hr/>
 <br/>

action.yaml

@@ -280,6 +280,53 @@ inputs:
     description: 'A JSON object of additional tags that will be included on created resources. Example: `{"key1": "value1", "key2": "value2"}`'
     required: false
 
+  # AWS ALB
+  aws_alb_create:
+    description: "Global toggle for ALB creation"
+    required: false
+  aws_alb_security_group_name:
+    description: "Name of the security group to use for ALB"
+    required: false
+  aws_alb_app_port:
+    description: "Comma-separated list of application ports for ALB target group"
+    required: false
+  aws_alb_app_protocol:
+    description: "Comma-separated list of protocols for ALB target group (HTTP/HTTPS)"
+    required: false
+  aws_alb_listen_port:
+    description: "Comma-separated list of listener ports for ALB"
+    required: false
+  aws_alb_listen_protocol:
+    description: "Comma-separated list of listener protocols for ALB (HTTP/HTTPS)"
+    required: false
+  aws_alb_redirect_enable:
+    description: "Enable HTTP to HTTPS redirection on ALB"
+    required: false
+  aws_alb_www_to_apex_redirect:
+    description: 'Enable www to apex domain redirection on ALB'
+    required: false
+  aws_alb_healthcheck_path:
+    description: "Health check path for ALB target group"
+    required: false
+  aws_alb_healthcheck_protocol:
+    description: "Health check protocol for ALB target group"
+    required: false
+  aws_alb_ssl_policy:
+    description: "SSL policy for HTTPS listeners"
+    required: false
+  aws_alb_access_log_enabled:
+    description: "Enable ALB access logs"
+    required: false
+  aws_alb_access_log_bucket_name:
+    description: "S3 bucket name to store the ALB access logs"
+    required: false
+  aws_alb_access_log_expire:
+    description: "Delete the access logs after this amount of days"
+    required: false
+  aws_alb_additional_tags:
+    description: 'A JSON object of additional tags that will be included on created resources. Example: `{"key1": "value1", "key2": "value2"}`'
+    required: false
+
   # AWS WAF
   aws_waf_enable:
     description: 'Enable WAF for load balancer.'
@@ -293,42 +340,81 @@ inputs:
   aws_waf_rule_rate_limit:
     description: 'Rate limit for WAF rules.'
     required: false
+  aws_waf_rule_rate_limit_priority:
+    description: 'Priority for rate limit rule.'
+    required: false
   aws_waf_rule_managed_rules:
     description: 'Enable common managed rule groups to use.'
     required: false
+  aws_waf_rule_managed_rules_priority:
+    description: 'Priority for managed rules group.'
+    required: false
   aws_waf_rule_managed_bad_inputs:
     description: 'Enable managed rule for bad inputs.'
     required: false
+  aws_waf_rule_managed_bad_inputs_priority:
+    description: 'Priority for bad inputs managed rule.'
+    required: false
   aws_waf_rule_ip_reputation:
     description: 'Enable managed rule for IP reputation.'
     required: false
+  aws_waf_rule_ip_reputation_priority:
+    description: 'Priority for IP reputation managed rule.'
+    required: false
   aws_waf_rule_anonymous_ip:
     description: 'Enable managed rule for anonymous IP.'
     required: false
+  aws_waf_rule_anonymous_ip_priority:
+    description: 'Priority for anonymous IP managed rule.'
+    required: false
   aws_waf_rule_bot_control:
     description: 'Enable managed rule for bot control (costs extra).'
     required: false
+  aws_waf_rule_bot_control_priority:
+    description: 'Priority for bot control managed rule.'
+    required: false
   aws_waf_rule_geo_block_countries:
     description: 'Comma separated list of countries to block.'
     required: false
+  aws_waf_rule_geo_block_countries_priority:
+    description: 'Priority for geo block countries managed rule.'
+    required: false
   aws_waf_rule_geo_allow_only_countries:
     description: 'Comma separated list of countries to allow.'
     required: false
+  aws_waf_rule_geo_allow_only_countries_priority:
+    description: 'Priority for geo allow only countries managed rule.'
+    required: false
   aws_waf_rule_sqli:
     description: 'Enable managed rule for SQL injection.'
     required: false
+  aws_waf_rule_sqli_priority:
+    description: 'Priority for SQL injection managed rule.'
+    required: false
   aws_waf_rule_linux:
     description: 'Enable managed rule for Linux.'
     required: false
+  aws_waf_rule_linux_priority:
+    description: 'Priority for Linux managed rule.'
+    required: false
   aws_waf_rule_unix:
     description: 'Enable managed rule for Unix.'
     required: false
+  aws_waf_rule_unix_priority:
+    description: 'Priority for Unix managed rule.'
+    required: false
   aws_waf_rule_admin_protection:
     description: 'Enable managed rule for admin protection.'
     required: false
+  aws_waf_rule_admin_protection_priority:
+    description: 'Priority for admin protection managed rule.'
+    required: false
   aws_waf_rule_user_arn:
     description: 'ARN of the user rule.'
     required: false
+  aws_waf_rule_user_arn_priority:
+    description: 'Priority for user defined rule.'
+    required: false
   aws_waf_additional_tags:
     description: 'A JSON object of additional tags that will be included on created resources. Example: `{"key1": "value1", "key2": "value2"}`'
     required: false
@@ -1307,24 +1393,54 @@ runs:
         AWS_ELB_ACCESS_LOG_EXPIRE: ${{ inputs.aws_elb_access_log_expire }}
         AWS_ELB_ADDITIONAL_TAGS: ${{ inputs.aws_elb_additional_tags }}
 
+        # AWS ALB
+        AWS_ALB_CREATE: ${{ inputs.aws_alb_create }}
+        AWS_ALB_SECURITY_GROUP_NAME: ${{ inputs.aws_alb_security_group_name }}
+        AWS_ALB_APP_PORT: ${{ inputs.aws_alb_app_port }}
+        AWS_ALB_APP_PROTOCOL: ${{ inputs.aws_alb_app_protocol }}
+        AWS_ALB_LISTEN_PORT: ${{ inputs.aws_alb_listen_port }}
+        AWS_ALB_LISTEN_PROTOCOL: ${{ inputs.aws_alb_listen_protocol }}
+        AWS_ALB_REDIRECT_ENABLE: ${{ inputs.aws_alb_redirect_enable }}
+        AWS_ALB_WWW_TO_APEX_REDIRECT: ${{ inputs.aws_alb_www_to_apex_redirect }}
+        AWS_ALB_HEALTHCHECK_PATH: ${{ inputs.aws_alb_healthcheck_path }}
+        AWS_ALB_HEALTHCHECK_PROTOCOL: ${{ inputs.aws_alb_healthcheck_protocol }}
+        AWS_ALB_SSL_POLICY: ${{ inputs.aws_alb_ssl_policy }}
+        AWS_ALB_ACCESS_LOG_ENABLED: ${{ inputs.aws_alb_access_log_enabled }}
+        AWS_ALB_ACCESS_LOG_BUCKET_NAME: ${{ inputs.aws_alb_access_log_bucket_name }}
+        AWS_ALB_ACCESS_LOG_EXPIRE: ${{ inputs.aws_alb_access_log_expire }}
+        AWS_ALB_ADDITIONAL_TAGS: ${{ inputs.aws_alb_additional_tags }}
+
         # AWS WAF
         AWS_WAF_ENABLE: ${{ inputs.aws_waf_enable }}
         AWS_WAF_LOGGING_ENABLE: ${{ inputs.aws_waf_logging_enable }}
         AWS_WAF_LOG_RETENTION_DAYS: ${{ inputs.aws_waf_log_retention_days }}
         AWS_WAF_ADDITIONAL_TAGS: ${{ inputs.aws_waf_additional_tags }}
         AWS_WAF_RULE_RATE_LIMIT: ${{ inputs.aws_waf_rule_rate_limit }}
+        AWS_WAF_RULE_RATE_LIMIT_PRIORITY: ${{ inputs.aws_waf_rule_rate_limit_priority }}
         AWS_WAF_RULE_MANAGED_RULES: ${{ inputs.aws_waf_rule_managed_rules }}
+        AWS_WAF_RULE_MANAGED_RULES_PRIORITY: ${{ inputs.aws_waf_rule_managed_rules_priority }}
         AWS_WAF_RULE_MANAGED_BAD_INPUTS: ${{ inputs.aws_waf_rule_managed_bad_inputs }}
+        AWS_WAF_RULE_MANAGED_BAD_INPUTS_PRIORITY: ${{ inputs.aws_waf_rule_managed_bad_inputs_priority }}
         AWS_WAF_RULE_IP_REPUTATION: ${{ inputs.aws_waf_rule_ip_reputation }}
+        AWS_WAF_RULE_IP_REPUTATION_PRIORITY: ${{ inputs.aws_waf_rule_ip_reputation_priority }}
         AWS_WAF_RULE_ANONYMOUS_IP: ${{ inputs.aws_waf_rule_anonymous_ip }}
+        AWS_WAF_RULE_ANONYMOUS_IP_PRIORITY: ${{ inputs.aws_waf_rule_anonymous_ip_priority }}
         AWS_WAF_RULE_BOT_CONTROL: ${{ inputs.aws_waf_rule_bot_control }}
+        AWS_WAF_RULE_BOT_CONTROL_PRIORITY: ${{ inputs.aws_waf_rule_bot_control_priority }}
         AWS_WAF_RULE_GEO_BLOCK_COUNTRIES: ${{ inputs.aws_waf_rule_geo_block_countries }}
+        AWS_WAF_RULE_GEO_BLOCK_COUNTRIES_PRIORITY: ${{ inputs.aws_waf_rule_geo_block_countries_priority }}
         AWS_WAF_RULE_GEO_ALLOW_ONLY_COUNTRIES: ${{ inputs.aws_waf_rule_geo_allow_only_countries }}
+        AWS_WAF_RULE_GEO_ALLOW_ONLY_COUNTRIES_PRIORITY: ${{ inputs.aws_waf_rule_geo_allow_only_countries_priority }}
         AWS_WAF_RULE_USER_ARN: ${{ inputs.aws_waf_rule_user_arn }}
+        AWS_WAF_RULE_USER_ARN_PRIORITY: ${{ inputs.aws_waf_rule_user_arn_priority }}
         AWS_WAF_RULE_SQLI: ${{ inputs.aws_waf_rule_sqli }}
+        AWS_WAF_RULE_SQLI_PRIORITY: ${{ inputs.aws_waf_rule_sqli_priority }}
         AWS_WAF_RULE_LINUX: ${{ inputs.aws_waf_rule_linux }}
+        AWS_WAF_RULE_LINUX_PRIORITY: ${{ inputs.aws_waf_rule_linux_priority }}
         AWS_WAF_RULE_UNIX: ${{ inputs.aws_waf_rule_unix }}
+        AWS_WAF_RULE_UNIX_PRIORITY: ${{ inputs.aws_waf_rule_unix_priority }}
         AWS_WAF_RULE_ADMIN_PROTECTION: ${{ inputs.aws_waf_rule_admin_protection }}
+        AWS_WAF_RULE_ADMIN_PROTECTION_PRIORITY: ${{ inputs.aws_waf_rule_admin_protection_priority }}
 
         # AWS EFS
         AWS_EFS_CREATE: ${{ inputs.aws_efs_create }}

operations/_scripts/generate/generate_provider.sh

@@ -74,6 +74,6 @@ provider \"kubernetes\" {
 }" >> "${GITHUB_ACTION_PATH}/operations/deployment/terraform/$1/bitovi_provider.tf"
 }
 
-generate_provider_aws aws ec2,r53,elb,efs,vpc,rds,aurora,ecs,db_proxy,redis,eks,ecr,waf
+generate_provider_aws aws ec2,r53,elb,efs,vpc,rds,aurora,ecs,db_proxy,redis,eks,ecr,waf,lb
 
 echo "Done with generate_provider.sh"