Skip to content

Commit

Permalink
Tdrd 339 automated or semi automated workflow for blocking i ps with …
Browse files Browse the repository at this point in the history
…malicious activity (#303)

* blocked ips
  • Loading branch information
ian-hoyle authored Jan 21, 2025
1 parent a200f33 commit fb70bb3
Show file tree
Hide file tree
Showing 3 changed files with 49 additions and 10 deletions.
36 changes: 33 additions & 3 deletions waf/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,15 @@ resource "aws_wafv2_ip_set" "trusted" {
scope = "REGIONAL"
}

resource "aws_wafv2_ip_set" "blocked_ips" {
name = "${var.project}-${var.function}-${var.environment}-blockedIps"
scope = "REGIONAL"
ip_address_version = "IPV4"
addresses = length(var.blocked_ips) > 0 ? split(",", var.blocked_ips) : []
description = "IP set for blocking malicious IPs"
}


resource "aws_wafv2_rule_group" "rule_group" {
capacity = 12
name = "waf-rule-group"
Expand Down Expand Up @@ -81,10 +90,31 @@ resource "aws_wafv2_web_acl" "acl" {
default_action {
block {}
}
rule {

dynamic "rule" {
for_each = var.blocked_ips == "" ? [] : [1]
content {
name = "BlockIPsRule"
priority = 0
action {
block {}
}
statement {
ip_set_reference_statement {
arn = aws_wafv2_ip_set.blocked_ips.arn
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "BlockIPsRule"
sampled_requests_enabled = true
}
}
}

rule {
name = "rate-based-rule"
priority = 0
priority = 1
action {
block {}
}
Expand All @@ -110,7 +140,7 @@ resource "aws_wafv2_web_acl" "acl" {
}
rule {
name = "acl-rule"
priority = 1
priority = 2
override_action {
none {}
}
Expand Down
4 changes: 4 additions & 0 deletions waf/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -5,3 +5,7 @@ output "ip_set_arn" {
output "rule_group_arn" {
value = aws_wafv2_rule_group.rule_group.arn
}

output "blocked_ip_set_arn" {
value = var.blocked_ips == "" ? "" : aws_wafv2_ip_set.blocked_ips.arn
}
19 changes: 12 additions & 7 deletions waf/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -23,8 +23,13 @@ variable "trusted_ips" {
default = ""
}

variable "blocked_ips" {
description = "blocked IP addresses"
default = ""
}

variable "restricted_uri" {
description = "Resricted URI"
description = "Restricted URI"
default = ""
}

Expand All @@ -49,11 +54,11 @@ variable "aws_managed_rules" {
metric_name = string
}))
default = [
{ name = "AWS-AWSManagedRulesAmazonIpReputationList", priority = 2, managed_rule_group_statement_name = "AWSManagedRulesAmazonIpReputationList", managed_rule_group_statement_vendor_name = "AWS", metric_name = "AWS-AWSManagedRulesAmazonIpReputationList" },
{ name = "AWS-AWSManagedRulesCommonRuleSet", priority = 3, managed_rule_group_statement_name = "AWSManagedRulesCommonRuleSet", managed_rule_group_statement_vendor_name = "AWS", metric_name = "AWS-AWSManagedRulesCommonRuleSet" },
{ name = "AWS-AWSManagedRulesKnownBadInputsRuleSet", priority = 4, managed_rule_group_statement_name = "AWSManagedRulesKnownBadInputsRuleSet", managed_rule_group_statement_vendor_name = "AWS", metric_name = "AWS-AWSManagedRulesKnownBadInputsRuleSet" },
{ name = "AWS-AWSManagedRulesLinuxRuleSet", priority = 5, managed_rule_group_statement_name = "AWSManagedRulesLinuxRuleSet", managed_rule_group_statement_vendor_name = "AWS", metric_name = "AWS-AWSManagedRulesLinuxRuleSet" },
{ name = "AWS-AWSManagedRulesUnixRuleSet", priority = 6, managed_rule_group_statement_name = "AWSManagedRulesUnixRuleSet", managed_rule_group_statement_vendor_name = "AWS", metric_name = "AWS-AWSManagedRulesUnixRuleSet" },
{ name = "AWS-AWSManagedRulesSQLiRuleSet", priority = 7, managed_rule_group_statement_name = "AWSManagedRulesSQLiRuleSet", managed_rule_group_statement_vendor_name = "AWS", metric_name = "AWS-AWSManagedRulesSQLiRuleSet" }
{ name = "AWS-AWSManagedRulesAmazonIpReputationList", priority = 3, managed_rule_group_statement_name = "AWSManagedRulesAmazonIpReputationList", managed_rule_group_statement_vendor_name = "AWS", metric_name = "AWS-AWSManagedRulesAmazonIpReputationList" },
{ name = "AWS-AWSManagedRulesCommonRuleSet", priority = 4, managed_rule_group_statement_name = "AWSManagedRulesCommonRuleSet", managed_rule_group_statement_vendor_name = "AWS", metric_name = "AWS-AWSManagedRulesCommonRuleSet" },
{ name = "AWS-AWSManagedRulesKnownBadInputsRuleSet", priority = 5, managed_rule_group_statement_name = "AWSManagedRulesKnownBadInputsRuleSet", managed_rule_group_statement_vendor_name = "AWS", metric_name = "AWS-AWSManagedRulesKnownBadInputsRuleSet" },
{ name = "AWS-AWSManagedRulesLinuxRuleSet", priority = 6, managed_rule_group_statement_name = "AWSManagedRulesLinuxRuleSet", managed_rule_group_statement_vendor_name = "AWS", metric_name = "AWS-AWSManagedRulesLinuxRuleSet" },
{ name = "AWS-AWSManagedRulesUnixRuleSet", priority = 7, managed_rule_group_statement_name = "AWSManagedRulesUnixRuleSet", managed_rule_group_statement_vendor_name = "AWS", metric_name = "AWS-AWSManagedRulesUnixRuleSet" },
{ name = "AWS-AWSManagedRulesSQLiRuleSet", priority = 8, managed_rule_group_statement_name = "AWSManagedRulesSQLiRuleSet", managed_rule_group_statement_vendor_name = "AWS", metric_name = "AWS-AWSManagedRulesSQLiRuleSet" }
]
}

0 comments on commit fb70bb3

Please sign in to comment.