updating-cloudfront-role-2.x

roles/aws/aws_cloudfront_distribution/defaults/main.yml

@@ -1,7 +1,8 @@
 ---
 # Uncomment cf_acl to create firewall rules for Cloudfront distro
+#rate_limit: 600 # rate_limit needs to be standalone variable to avoid casting issues (it will be considrate as string instead of int)
 #cf_acl:
-#  rate_limit: 600
+#  acl_name: "dummy_master_acl"
 #  scope: "CLOUDFRONT" # Can be "REGIONAL"
 #  region: "us-east-1" # If scope is set to CLOUDFRONT, region must be us-east-1, even though docs say it will be skipped
 #

roles/aws/aws_cloudfront_distribution/tasks/create_acl.yml

@@ -0,0 +1,115 @@
+- name: Define dict for rules
+  ansible.builtin.set_fact:
+    acl_rules: []
+
+- name: Set IP allow rule
+  block:
+    - name: Create IP allow set for WAF
+      community.aws.wafv2_ip_set:
+        name: "{{ cf_acl.ip_allow.name }}"
+        state: present
+        description: Set of allowed IPs
+        scope: "{{ cf_acl.scope }}"
+        region: "{{ cf_acl.region }}"
+        ip_address_version: IPV4
+        addresses: "{{ cf_acl.ip_allow.list }}"
+      register: ip_set_info
+
+    - name: Create IP allow rule
+      ansible.builtin.set_fact:
+        ip_allow_rule:
+        - name: allow_ips
+          priority: 0
+          action:
+            allow: {}
+          visibility_config:
+            sampled_requests_enabled: true
+            cloud_watch_metrics_enabled: true
+            metric_name: Allow_IPs
+          statement:
+            ip_set_reference_statement:
+              arn: "{{ ip_set_info.arn }}"
+
+    - name: Add rule to list
+      ansible.builtin.set_fact:
+        acl_rules: "{{ acl_rules + ip_allow_rule }}"
+  when: cf_acl.ip_allow is defined
+
+- name: Set IP block rule
+  block:
+    - name: Create IP block set for WAF
+      community.aws.wafv2_ip_set:
+        name: "{{ cf_acl.ip_block.name }}"
+        state: present
+        description: Set of blocked IPs
+        scope: "{{ cf_acl.scope }}"
+        region: "{{ cf_acl.region }}"
+        ip_address_version: IPV4
+        addresses: "{{ cf_acl.ip_block.list }}"
+      register: ip_set_info
+
+    - name: Create IP block rule
+      ansible.builtin.set_fact:
+        ip_block_rule:
+          - name: block_countries
+            priority: 1
+            action:
+              block: {}
+            visibility_config:
+              sampled_requests_enabled: true
+              cloud_watch_metrics_enabled: true
+              metric_name: block_countries
+            statement:
+              geo_match_statement: # Can't find the actual name, I got this from aws rule JSON formated
+                country_codes: "{{ cf_acl.cc_block_list }}"
+
+    - name: Add rule to list
+      ansible.builtin.set_fact:
+        acl_rules: "{{ acl_rules + ip_block_rule}}"
+  when: cf_acl.ip_block is defined
+
+# Workaround for rate limit rule in ACL (any variable gets interpreted as string instead of int)
+- name: Set rate limit variable
+  block:
+    - name: Define r_limit to avoid issues
+      ansible.builtin.set_fact:
+        r_limit: "{{ rate_limit | int }}"
+
+    - name: Define rate rule
+      ansible.builtin.set_fact:
+        rate_rule:
+        - name: rate_limit
+          priority: 2
+          action:
+            block: {}
+          visibility_config:
+            sampled_requests_enabled: true
+            cloud_watch_metrics_enabled: true
+            metric_name: rate_limit
+          statement:
+            rate_based_statement:
+              limit: "{{ rate_limit }}"
+              aggregate_key_type: IP
+
+    - name: Add rule to list
+      ansible.builtin.set_fact:
+        acl_rules: "{{ acl_rules + rate_rule}}"
+  when: rate_limit is defined
+
+- name: Create web acl
+  community.aws.wafv2_web_acl:
+    name: "{{ cf_acl.acl_name }}" # Member must satisfy regular expression pattern: ^[\\w\\-]+$
+    description: "WAF protecting the {{ _domain_name }}"
+    scope: "{{ cf_acl.scope }}"
+    region: "{{ cf_acl.region }}"
+    default_action: Allow # or "Block"
+    sampled_requests: false
+    cloudwatch_metrics: true # or "false" to disable metrics
+    metric_name: test-metric-name # not sure about this name, since each rule also has it's own metrics name (maybe log group name)
+    rules: "{{ acl_rules }}"
+    purge_rules: true
+#    tags:
+#      A: B
+#      C: D
+    state: present
+  register: created_acl

roles/aws/aws_cloudfront_distribution/tasks/main.yml

@@ -1,4 +1,8 @@
 ---
+- name: Create web acl if defined
+  ansible.builtin.include_tasks: create_acl.yml
+  when: cf_acl is defined
+
 - name: Create a CloudFront distribution.
   community.aws.cloudfront_distribution:
     profile: "{{ aws_cloudfront_distribution.aws_profile }}"
@@ -7,14 +11,15 @@
     state: "{{ aws_cloudfront_distribution.state }}"
     aliases: "{{ aws_cloudfront_distribution.aliases }}"
     origins: "{{ aws_cloudfront_distribution.origins }}"
+    web_acl_id: "{{ created_acl.arn | default(omit) }}"
     default_cache_behavior: "{{ aws_cloudfront_distribution.default_cache_behavior }}"
     cache_behaviors: "{{ aws_cloudfront_distribution.cache_behaviors }}"
     validate_certs: "{{ aws_cloudfront_distribution.validate_certs }}"
     viewer_certificate: "{{ aws_cloudfront_distribution.viewer_certificate }}"
     purge_origins: "{{ aws_cloudfront_distribution.purge_existing }}"
     purge_aliases: "{{ aws_cloudfront_distribution.purge_existing }}"
     purge_tags: "{{ aws_cloudfront_distribution.purge_existing }}"
-    logging: "{{ aws_cloudfront_distribution.logging | default('') }}"
+    logging: "{{ aws_cloudfront_distribution.logging | default(omit) }}"
     purge_cache_behaviors: "{{ aws_cloudfront_distribution.purge_existing }}"
     enabled: "{{ aws_cloudfront_distribution.enabled }}"
   register: _aws_cloudfront_distribution