New-version-of-aws-acl-role (#1683)

* New-version-of-aws-acl-role

* Fixing-jinja-linting

---------

Co-authored-by: Matej Stajduhar <matej.stajduhar@codeenigma.com>

Author: matej5

roles/aws/_aws_network_info/tasks/subnet.yml

@@ -9,4 +9,4 @@
 
 - name: Add public subnet to the list.
   ansible.builtin.set_fact:
-    _aws_ecs_cluster_public_subnets_ids: "{{ _aws_ecs_cluster_public_subnets_ids + [ _aws_ecs_cluster_public_subnet.subnets[0].subnet_id ] }}"
+    _aws_ecs_cluster_public_subnets_ids: "{{ _aws_ecs_cluster_public_subnets_ids + [_aws_ecs_cluster_public_subnet.subnets[0].subnet_id] }}"

roles/aws/aws_acl/README.md

@@ -5,40 +5,52 @@ Creates an ACL to be attached to a CloudFront distribution or an Application Loa
 <!--ENDTOC-->
 
 <!--ROLEVARS-->
-## Default variables
+## Default variables for creation of ACL (pass it as a list)
 ```yaml
 ---
+---
 aws_acl:
-  - rate_limit: 0 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking
-    acl_rules:
-      name: example_master_acl # Name of the ACL
-      description: "Master ACL for CF"
-      scope: CLOUDFRONT # Can be REGIONAL for ALBs
-      tags: {}
-
-      botControl: false # Set to true to apply bot control
-      inspection: "COMMON" # or set to TARGETED inspection level
-
-      ip_allow:
-        name: "Allowed-ips"
-        list: []
-          #- 1.1.1.1/32 # list of ip ranges
-          #- 2.2.2.2/32
-          #- 3.3.3.3/32
-
-      ip_block:
-        name: "Blocked-ips"
-        list: []
-          #- 4.4.4.4/32 # list of ip ranges
-          #- 5.5.5.5/32
-          #- 6.6.6.6/32
+  - name: example_master_acl
+    description: "Master ACL for CF"
+    scope: CLOUDFRONT # Can be REGIONAL for ALBs
+    region: "us-east-1"
+    tags: {}
+    rules:
+      rate_limit: 200 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking
+      botControl: "COMMON" # or set to TARGETED inspection level (comment out to avoid addign rule)
+
+      ip_sets:
+        - name: "Allowed-ips-example"
+          action: allow
+          list: []
+            #- 1.1.1.1/32 # list of ip ranges
+            #- 2.2.2.2/32
+            #- 3.3.3.3/32
+        - name: "Blocked-ips-example"
+          action: block
+          list: []
+            #- 4.4.4.4/32 # list of ip ranges
+            #- 5.5.5.5/32
+            #- 6.6.6.6/32
 
       cc_block_list: []
-        #- BY # Belarus
-        #- CN # China
-        #- IR # Iran
-        #- SA # Saudi Arabia
 
+      regular_rules:
+        - name: allow_panels
+          action: allow
+          string: "panels/ajax"
+          position: "CONTAINS"
+
+#      cyber_sec: #Need to implement task
+```
+
+## Default variables for assigning ACL to CF or ALB
+```yaml
+---
+aws_acl:
+  name: example_master_acl # Name of the ACL to apply
+  scope: CLOUDFRONT # Can be REGIONAL for ALBs
+  region: "us-east-1"
 ```
 
 <!--ENDROLEVARS-->

roles/aws/aws_acl/defaults/main.yml

@@ -1,31 +1,34 @@
 ---
 aws_acl:
-  - rate_limit: 0 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking
-    acl_rules:
-      name: example_master_acl # Name of the ACL
-      description: "Master ACL for CF"
-      scope: CLOUDFRONT # Can be REGIONAL for ALBs
-      tags: {}
+  - name: example_master_acl
+    description: "Master ACL for CF"
+    scope: CLOUDFRONT # Can be REGIONAL for ALBs
+    region: "us-east-1"
+    tags: {}
+    rules:
+      rate_limit: 200 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking
+      botControl: "COMMON" # or set to TARGETED inspection level (comment out to avoid addign rule)
 
-      botControl: false # Set to true to apply bot control
-      inspection: "COMMON" # or set to TARGETED inspection level
+      ip_sets:
+        - name: "Allowed-ips-example"
+          action: allow
+          list: []
+            #- 1.1.1.1/32 # list of ip ranges
+            #- 2.2.2.2/32
+            #- 3.3.3.3/32
+        - name: "Blocked-ips-example"
+          action: block
+          list: []
+            #- 4.4.4.4/32 # list of ip ranges
+            #- 5.5.5.5/32
+            #- 6.6.6.6/32
 
-      ip_allow:
-        name: "Allowed-ips"
-        list: []
-          #- 1.1.1.1/32 # list of ip ranges
-          #- 2.2.2.2/32
-          #- 3.3.3.3/32
+      cc_block_list: []
 
-      ip_block:
-        name: "Blocked-ips"
-        list: []
-          #- 4.4.4.4/32 # list of ip ranges
-          #- 5.5.5.5/32
-          #- 6.6.6.6/32
+      regular_rules:
+        - name: allow_panels
+          action: allow
+          string: "panels/ajax"
+          position: "CONTAINS"
 
-      cc_block_list: []
-        #- BY # Belarus
-        #- CN # China
-        #- IR # Iran
-        #- SA # Saudi Arabia
+#      cyber_sec: #Need to implement task

roles/aws/aws_acl/tasks/bot_control.yml

@@ -1,3 +1,4 @@
+---
 - name: Define empty action rule list
   ansible.builtin.set_fact:
     _action_rules: []
@@ -59,7 +60,7 @@
           action_to_use:
             block: {}
 
-  - name: Define empty action rule list
+  - name: Attach common action rules to list
     ansible.builtin.set_fact:
       _action_rules: "{{ _action_rules | default([]) + _action_rules_common }}"
 
@@ -69,8 +70,8 @@
         - a_w_s_managed_rules_bot_control_rule_set:
             inspection_level: "COMMON"
 
-- name: Define rule actions targeted
-  when: aws_acl.inspection == "TARGETED"
+- name: Define targeted actions rules
+  when: _acl.rules.botControl == "TARGETED"
   block:
     - name: Define targeted actions
       ansible.builtin.set_fact:
@@ -97,7 +98,7 @@
             action_to_use:
               block: {}
 
-    - name: Define empty action rule list
+    - name: Attach targeted action rules to list
       ansible.builtin.set_fact:
         _action_rules: "{{ _action_rules | default([]) + _action_rules_tgt }}"
 
@@ -111,8 +112,7 @@
 - name: Define Bot Control rule.
   ansible.builtin.set_fact:
     bot_control:
-    - name: bot_control
-      priority: 4
+      name: bot_control
 #          action:
 #            block: {}
       override_action:
@@ -128,6 +128,13 @@
           managed_rule_group_configs: "{{ _rule_config }}"
           rule_action_overrides: "{{ _action_rules }}"
 
+- name: Append priority to rule.
+  ansible.builtin.set_fact:
+    bot_control: "{{ bot_control | combine(_priority_dict) }}"
+
 - name: Add rule to list.
   ansible.builtin.set_fact:
-    _acl_rules: "{{ _acl_rules + bot_control}}"
+    _rules: "{{ _rules + [bot_control] }}"
+
+- name: Increase priority.
+  ansible.builtin.include_tasks: increase_priority.yml