From 257bd8026289b585ebae2f2bfb489e88716f3eb6 Mon Sep 17 00:00:00 2001 From: Ross Murray Date: Tue, 17 Sep 2024 14:50:28 +1000 Subject: [PATCH] feat: WAFACLs to support IPV6 --- aws/services/waf/resource.ftl | 39 +++++++++++++++++++++++++++++++---- 1 file changed, 35 insertions(+), 4 deletions(-) diff --git a/aws/services/waf/resource.ftl b/aws/services/waf/resource.ftl index 057b806e..6e5c1dc3 100644 --- a/aws/services/waf/resource.ftl +++ b/aws/services/waf/resource.ftl @@ -645,10 +645,24 @@ )] [#if getGroupCIDRs(wafSolution.IPAddressGroups, true, occurrence, true) ] - [#local wafValueSet += { - "whitelistedips" : getGroupCIDRs(wafSolution.IPAddressGroups, true, occurrence) - }] - [#local wafProfile += { + + [#local groupcidrs = asFlattenedArray(getGroupCIDRs(wafSolution.IPAddressGroups, true, occurrence))] + [#local whitelistedipsipv4 = [] ] + [#local whitelistedipsipv6 = [] ] + + [#list groupcidrs as cidr ] + [#if cidr?matches(r"^.*:.*:.*\/(12[0-8]|1[01][0-9]|[1-9]?[0-9])$")] + [#local whitelistedipsipv6 += [ cidr ] ] + [#else] + [#local whitelistedipsipv4 += [ cidr ] ] + [/#if] + [/#list] + + [#if whitelistedipsipv4?has_content] + [#local wafValueSet += { + "whitelistedips" : whitelistedipsipv4 + }] + [#local wafProfile += { "Rules" : wafProfile.Rules + [ @@ -659,6 +673,23 @@ ], "DefaultAction" : "BLOCK" } ] + [/#if] + [#if whitelistedipsipv6?has_content] + [#local wafValueSet += { + "whitelistedipsipv6" : whitelistedipsipv6 + }] + [#local wafProfile += { + "Rules" : + wafProfile.Rules + + [ + { + "Rule" : "whitelistipsipv6", + "Action" : "ALLOW" + } + ], + "DefaultAction" : "BLOCK" + } ] + [/#if] [/#if] [#local whitelistedCountryCodes = getGroupCountryCodes(wafSolution.CountryGroups, false) ]