Skip to content

Commit

Permalink
feat: WAFACLs to support IPV6
Browse files Browse the repository at this point in the history
  • Loading branch information
RossMurr4y authored and kshychko committed Sep 17, 2024
1 parent 61e6e24 commit 07db31b
Showing 1 changed file with 35 additions and 4 deletions.
39 changes: 35 additions & 4 deletions aws/services/waf/resource.ftl
Original file line number Diff line number Diff line change
Expand Up @@ -645,10 +645,24 @@
)]

[#if getGroupCIDRs(wafSolution.IPAddressGroups, true, occurrence, true) ]
[#local wafValueSet += {
"whitelistedips" : getGroupCIDRs(wafSolution.IPAddressGroups, true, occurrence)
}]
[#local wafProfile += {

[#local groupcidrs = asFlattenedArray(getGroupCIDRs(wafSolution.IPAddressGroups, true, occurrence))]
[#local whitelistedipsipv4 = [] ]
[#local whitelistedipsipv6 = [] ]

[#list groupcidrs as cidr ]
[#if cidr?matches(r"^.*:.*:.*\/(12[0-8]|1[01][0-9]|[1-9]?[0-9])$")]
[#local whitelistedipsipv6 += [ cidr ] ]
[#else]
[#local whitelistedipsipv4 += [ cidr ] ]
[/#if]
[/#list]

[#if whitelistedipsipv4?has_content]
[#local wafValueSet += {
"whitelistedips" : whitelistedipsipv4
}]
[#local wafProfile += {
"Rules" :
wafProfile.Rules +
[
Expand All @@ -659,6 +673,23 @@
],
"DefaultAction" : "BLOCK"
} ]
[/#if]
[#if whitelistedipsipv6?has_content]
[#local wafValueSet += {
"whitelistedipsipv6" : whitelistedipsipv6
}]
[#local wafProfile += {
"Rules" :
wafProfile.Rules +
[
{
"Rule" : "whitelistipsipv6",
"Action" : "ALLOW"
}
],
"DefaultAction" : "BLOCK"
} ]
[/#if]
[/#if]

[#local whitelistedCountryCodes = getGroupCountryCodes(wafSolution.CountryGroups, false) ]
Expand Down

0 comments on commit 07db31b

Please sign in to comment.