Terraform WAF Web ACL资源没用?

时间:2018-03-07 02:55:20

标签: amazon-web-services terraform

Terraform提供WAF Web ACL Resource。是否可以使用ALB等平台连接到任何东西或者它没用?

1 个答案:

答案 0 :(得分:4)

随着1.12 AWS provider的发布,现在可以直接创建区域WAF资源以用于负载均衡器。

您现在可以创建aws_wafregional_byte_match_setaws_wafregional_ipsetaws_wafregional_size_constraint_setaws_wafregional_sql_injection_match_setaws_wafregional_xss_match_set中的任意一个,将这些链接作为谓词链接到aws_wafregional_rule然后将WAF规则添加到aws_wafregional_web_acl。最后,您可以使用aws_wafregional_web_acl_association resource将区域WAF附加到负载均衡器。

区域WAF Web ACL关联资源文档提供了一个有用的example如何将它们全部链接在一起:

resource "aws_wafregional_ipset" "ipset" {
  name = "tfIPSet"

  ip_set_descriptor {
    type  = "IPV4"
    value = "192.0.7.0/24"
  }
}

resource "aws_wafregional_rule" "foo" {
  name        = "tfWAFRule"
  metric_name = "tfWAFRule"

  predicate {
    data_id = "${aws_wafregional_ipset.ipset.id}"
    negated = false
    type    = "IPMatch"
  }
}

resource "aws_wafregional_web_acl" "foo" {
  name = "foo"
  metric_name = "foo"
  default_action {
    type = "ALLOW"
  }
  rule {
    action {
      type = "BLOCK"
    }
    priority = 1
    rule_id = "${aws_wafregional_rule.foo.id}"
  }
}

resource "aws_vpc" "foo" {
  cidr_block = "10.1.0.0/16"
}

data "aws_availability_zones" "available" {}

resource "aws_subnet" "foo" {
  vpc_id = "${aws_vpc.foo.id}"
  cidr_block = "10.1.1.0/24"
  availability_zone = "${data.aws_availability_zones.available.names[0]}"
}

resource "aws_subnet" "bar" {
  vpc_id = "${aws_vpc.foo.id}"
  cidr_block = "10.1.2.0/24"
  availability_zone = "${data.aws_availability_zones.available.names[1]}"
}

resource "aws_alb" "foo" {
  internal = true
  subnets = ["${aws_subnet.foo.id}", "${aws_subnet.bar.id}"]
}

resource "aws_wafregional_web_acl_association" "foo" {
  resource_arn = "${aws_alb.foo.arn}"
  web_acl_id = "${aws_wafregional_web_acl.foo.id}"
}

原帖:

区域性的WAF资源已经被综合考虑,人们放弃了拉取请求,但计划用于AWS provider 1.12.0 release

目前只有byte match setIP address set资源可用,因此如果没有规则,ACL和关联资源来实际执行操作,它们就没有多大用处。

在此之前,您可以将CloudFormation与Terraform自己的逃生舱aws_cloudformation_stack resource一起使用,如下所示:

resource "aws_lb" "load_balancer" {
  ...
}

resource "aws_cloudformation_stack" "waf" {
  name = "waf-example"

  parameters {
    ALBArn = "${aws_lb.load_balancer.arn}"
  }

  template_body = <<STACK
Parameters:
  ALBArn:
    Type: String

Resources:
  WAF:
    Type: AWS::WAFRegional::WebACL
    Properties:
      Name: WAF-Example
      DefaultAction:
        Type: BLOCK
      MetricName: WafExample
      Rules:
        - Action:
            Type: ALLOW
          Priority: 2
          RuleId:
            Ref: WhitelistRule

  WhitelistRule:
    Type: AWS::WAFRegional::Rule
    Properties:
      Name: WAF-Example-Whitelist
      MetricName: WafExampleWhiteList
      Predicates:
        - DataId:
            Ref: ExternalAPIURI
          Negated: false
          Type: ByteMatch

  ExternalAPIURI:
    Type: AWS::WAFRegional::ByteMatchSet
    Properties:
      Name: WAF-Example-StringMatch
      ByteMatchTuples:
        - FieldToMatch:
            Type: URI
          PositionalConstraint: STARTS_WITH
          TargetString: /public/
          TextTransformation: NONE

  WAFALBattachment:
    Type: AWS::WAFRegional::WebACLAssociation
    Properties:
      ResourceArn:
        Ref: ALBArn
      WebACLId:
        Ref: WAF
STACK
}
相关问题
最新问题