Merge pull request #1 from asicsdigital/noss-initial-version

initial version

.github/CODEOWNERS

@@ -0,0 +1,38 @@
+# This is a comment.
+# Each line is a file pattern followed by one or more owners.
+
+# These owners will be the default owners for everything in
+# the repo. Unless a later match takes precedence,
+# @global-owner1 and @global-owner2 will be requested for
+# review when someone opens a pull request.
+#*       @global-owner1 @global-owner2
+*       @asicsdigital/devops
+
+# Order is important; the last matching pattern takes the most
+# precedence. When someone opens a pull request that only
+# modifies JS files, only @js-owner and not the global
+# owner(s) will be requested for a review.
+#*.js    @js-owner
+
+# You can also use email addresses if you prefer. They'll be
+# used to look up users just like we do for commit author
+# emails.
+#*.go docs@example.com
+
+# In this example, @doctocat owns any files in the build/logs
+# directory at the root of the repository and any of its
+# subdirectories.
+#/build/logs/ @doctocat
+
+# The `docs/*` pattern will match files like
+# `docs/getting-started.md` but not further nested files like
+# `docs/build-app/troubleshooting.md`.
+#docs/*  docs@example.com
+
+# In this example, @octocat owns any file in an apps directory
+# anywhere in your repository.
+#apps/ @octocat
+
+# In this example, @doctocat owns any file in the `/docs`
+# directory in the root of your repository.
+#/docs/ @doctocat

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2019 ASICS Digital
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,61 @@
+# terraform-aws-alb-waf-auth
+
+This creates a WAF to require a certain string in a header to allow traffic to an ALB.
+
+Use it for when you don't control the application code but want to add authentication.
+
+Note it's not true basic auth because the WAF can't send a custom unauthorized page.
+
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| alb\_arn | ALB ARN to attach the waf auth to | string | n/a | yes |
+| waf\_name\_alpha | Name for WAF resources. Note this needs to be alphanumeric only. | string | n/a | yes |
+| x\_manual\_auth\_secret | Secret to check in x-manual-auth header, if not specified will be generated randomly | string | `""` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| x\_manual\_auth\_target\_string | Secret that this WAF will check for in x-manual-auth header |
+
+## Usage
+
+If specifying the secret:
+
+```hcl
+module "waf_auth" {
+  source               = "github.com/asicsdigital/terraform-aws-alb-waf-auth?ref=v0.0.1"
+  alb_arn              = "<alb arn here>"
+  waf_name_alpha       = "<some alphabetical string here>"
+  x_manual_auth_secret = "<your secret here>"
+}
+```
+
+Or, not specifying secret:
+
+```hcl
+module "waf_auth" {
+  source         = "github.com/asicsdigital/terraform-aws-alb-waf-auth?ref=v0.0.1"
+  alb_arn        = "<alb arn here>"
+  waf_name_alpha = "<some alphabetical string here>"
+}
+
+output "x_manual_auth_secret" {
+  value = "${module.waf_auth.x_manual_auth_target_string}"
+}
+```
+
+## Authors
+
+John Noss
+
+## Changelog
+
+v0.0.1 - Initial release.
+
+## License
+
+This software is released under the MIT License (see LICENSE).

locals.tf

@@ -0,0 +1,3 @@
+locals {
+  x_manual_auth_secret_target_string = "${coalesce(var.x_manual_auth_secret, random_id.default_x_manual_auth_secret.b64)}"
+}

main.tf

@@ -0,0 +1,53 @@
+# create a random_id, note it will not be used if the input x_manual_auth_secret was specified
+resource "random_id" "default_x_manual_auth_secret" {
+  byte_length = 32
+}
+
+resource "aws_wafregional_byte_match_set" "byte_match" {
+  name = "${var.waf_name_alpha}ByteMatch"
+
+  byte_match_tuples {
+    "field_to_match" {
+      type = "HEADER"
+      data = "x-manual-auth"
+    }
+
+    positional_constraint = "EXACTLY"
+    text_transformation   = "NONE"
+    target_string         = "${local.x_manual_auth_secret_target_string}"
+  }
+}
+
+resource "aws_wafregional_rule" "auth_rule" {
+  metric_name = "${var.waf_name_alpha}Rule"
+  name        = "${var.waf_name_alpha}Rule"
+
+  predicate {
+    data_id = "${aws_wafregional_byte_match_set.byte_match.id}"
+    negated = false
+    type    = "ByteMatch"
+  }
+}
+
+resource "aws_wafregional_web_acl" "auth_acl" {
+  "default_action" {
+    type = "BLOCK"
+  }
+
+  metric_name = "${var.waf_name_alpha}ACL"
+  name        = "${var.waf_name_alpha}ACL"
+
+  rule {
+    action {
+      type = "ALLOW"
+    }
+
+    priority = 1
+    rule_id  = "${aws_wafregional_rule.auth_rule.id}"
+  }
+}
+
+resource "aws_wafregional_web_acl_association" "alb_association" {
+  resource_arn = "${var.alb_arn}"
+  web_acl_id   = "${aws_wafregional_web_acl.auth_acl.id}"
+}

outputs.tf

@@ -0,0 +1,11 @@
+# provide the secret, needed if it was randomly generated
+
+output "x_manual_auth_target_string" {
+  value       = "${local.x_manual_auth_secret_target_string}"
+  description = "Secret that this WAF will check for in x-manual-auth header"
+  sensitive   = true
+}
+
+output "test_authentication_curl_command" {
+  value = "curl -H \"x-manual-auth: ${local.x_manual_auth_secret_target_string}\" https://<your application hostname here>"
+}

variables.tf

@@ -0,0 +1,12 @@
+variable "alb_arn" {
+  description = "ALB ARN to attach the waf auth to"
+}
+
+variable "x_manual_auth_secret" {
+  description = "Secret to check in x-manual-auth header, if not specified will be generated randomly"
+  default     = ""
+}
+
+variable "waf_name_alpha" {
+  description = "Name for WAF resources. Note this needs to be alphanumeric only."
+}