AWS WAF Automation Using Terraform

WAF Automation on AWS solution is developed using Terraform which automatically deploys a set of AWS WAF rules that filter common web-based attacks. Users can select from preconfigured protective features that define the rules included in an AWS WAF web access control list (web ACL). Once deployed, AWS WAF protects your Amazon CloudFront distributions or Application Load Balancers by inspecting web requests.

Target Architecture

Prerequisites

1. An active AWS account.
2. AWS Command Line Interface (AWS CLI) installed and configured with necessary permissions. For more information about this , refer this documentation.
3. Terraform installed and configured. For more information about this , refer this documentation.

Deployment

terraform init
terraform plan -var-file="testing.tfvars"
terraform apply -var-file="testing.tfvars"

Check out this APG Pattern for detailed deployment instructions: Deploy the Security Automations for AWS WAF solution by using Terraform

Types of inputs:

ActivateHttpFloodProtectionParam = yes - AWS Lambda log parser, yes - Amazon Athena log parser,yes - AWS WAF rate based rule
ActivateScannersProbesProtectionParam =yes - AWS Lambda log parser, yes - Amazon Athena log parser
ENDPOINT = ALB , cloudfront

Existing issue:

Error: Error deleting WAFv2 IPSet: WAFOptimisticLockException: AWS WAF couldn’t save your changes because someone changed the resource after you started to edit it. Re-apply your changes.

Workaround:

Delete the IPsets manually and retry the terraform destroy command. Reference : hashicorp/terraform-provider-aws#21136

Security

See CONTRIBUTING for more information.

License

This library is licensed under the MIT-0 License. See the LICENSE file.

Requirements

Name	Version
aws	~> 3.0

Providers

Name	Version
aws	~> 3.0
random	n/a

Modules

No modules.

Inputs

Name	Description	Type	Default	Required
ActivateAWSManagedRulesParam	n/a	string	"no"	no
ActivateBadBotProtectionParam	n/a	string	"yes"	no
ActivateCrossSiteScriptingProtectionParam	n/a	string	"yes"	no
ActivateHttpFloodProtectionParam	n/a	string	"yes - AWS WAF rate based rule"	no
ActivateReputationListsProtectionParam	n/a	string	"yes"	no
ActivateScannersProbesProtectionParam	n/a	string	""	no
ActivateSqlInjectionProtectionParam	n/a	string	"yes"	no
AppAccessLogBucket	Application Access Log Bucket Name	string	"myownbucket-tam"	no
BadBotProtectionActivated	n/a	string	"yes"	no
DeliveryStreamName	Name of the Delivery stream value	string	"terraform-kinesis-firehose-extended-s3-test-stream"	no
ENDPOINT	cloudfront or ALB	string	"cloudFront"	no
ErrorThreshold	error threshold for Log Monitoring Settings	number	50	no
IPRetentionPeriod	n/a	string	"no"	no
IPRetentionPeriodAllowedParam	IP Retention Settings allowed value	number	-1	no
IPRetentionPeriodDeniedParam	IP Retention Settings denied value	number	-1	no
KEEP_ORIGINAL_DATA	S3 original data	string	"No"	no
KeyPrefix	Keyprefix values for the lambda source code	string	"aws-waf-security-automations/v3.2.0"	no
LOG_LEVEL	Log level	string	"INFO"	no
MetricsURL	Metrics URL	string	"https://metrics.awssolutionsbuilder.com/generic"	no
ReputationListsProtectionActivated	n/a	string	"yes"	no
RequestThreshold	request threshold for Log Monitoring Settings	number	100	no
SEND_ANONYMOUS_USAGE_DATA	Data collection parameter	string	"yes"	no
SNSEmailParam	SNS notification value	string	""	no
ScannersProbesProtectionActivated	n/a	string	"yes"	no
SendAnonymousUsageData	Data collection parameter	string	"yes"	no
SolutionID	UserAgent id value	string	"SO0006"	no
SourceBucket	Lambda source code bucket	string	"solutions"	no
USER_AGENT_EXTRA	UserAgent	string	"AwsSolution/SO0006/v3.2.0"	no
WAFBlockPeriod	block period for Log Monitoring Settings	number	240	no
app_access_logs_columns	n/a	map	{ "actions_executed": "string", "chosen_cert_arn": "string", "client_ip": "string", "client_port": "int", "domain_name": "string", "elb": "string", "elb_status_code": "string", "lambda_error_reason": "string", "matched_rule_priority": "string", "new_field": "string", "received_bytes": "bigint", "redirect_url": "string", "request_creation_time": "string", "request_processing_time": "double", "request_proto": "string", "request_url": "string", "request_verb": "string", "response_processing_time": "double", "sent_bytes": "bigint", "ssl_cipher": "string", "ssl_protocol": "string", "target_group_arn": "string", "target_ip": "string", "target_port": "int", "target_processing_time": "double", "target_status_code": "string", "time": "string", "trace_id": "string", "type": "string", "user_agent": "string" }	no
cloudfront_app_access_logs_columns	n/a	map	{ "bytes": "bigint", "cookie": "string", "date": "date", "encryptedfields": "int", "filestatus": "string", "host": "string", "hostheader": "string", "httpversion": "string", "location": "string", "method": "string", "querystring": "string", "referrer": "string", "requestbytes": "bigint", "requestid": "string", "requestip": "string", "requestprotocol": "string", "responseresulttype": "string", "resulttype": "string", "sslcipher": "string", "sslprotocol": "string", "status": "int", "time": "string", "timetaken": "float", "uri": "string", "useragent": "string", "xforwardedfor": "string" }	no
sse_algorithm	sse_algorithm	string	"aws:kms"	no
waf_access_logs_columns	n/a	map	{ "action": "string", "formatversion": "int", "httprequest": "struct<clientip:string,country:string,headers:array<structname:string,value:string>,uri:string,args:string,httpversion:string,httpmethod:string,requestid:string>", "httpsourceid": "string", "httpsourcename": "string", "nonterminatingmatchingrules": "array", "ratebasedrulelist": "array", "rulegrouplist": "array", "terminatingruleid": "string", "terminatingruletype": "string", "timestamp": "bigint", "webaclid": "string" }	no

Outputs

No outputs.