From 16ec453eb58c9e1806d0264dc7e6d389492e0e39 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Thu, 25 Apr 2024 15:46:26 +0200 Subject: [PATCH 1/3] Fixing AWS ACL role defaults. --- docs/_Sidebar.md | 1 + docs/roles/aws/aws_acl.md | 39 +++++++++++++++++++++++ roles/aws/aws_acl/README.md | 39 +++++++++++++++++++++++ roles/aws/aws_acl/defaults/main.yml | 35 +++++++++++---------- roles/aws/aws_acl/tasks/main.yml | 48 ++++++++++++++++------------- 5 files changed, 124 insertions(+), 38 deletions(-) create mode 100644 docs/roles/aws/aws_acl.md create mode 100644 roles/aws/aws_acl/README.md diff --git a/docs/_Sidebar.md b/docs/_Sidebar.md index fe73f6915..e65b520cb 100644 --- a/docs/_Sidebar.md +++ b/docs/_Sidebar.md @@ -4,6 +4,7 @@ - [Usage](/scripts) - [Roles](roles) - [AWS Infrastructure](/roles/aws) + - [AWS ACL](/roles/aws/aws_acl) - [AWS Certificate Manager](/roles/aws/aws_acm) - [AWS AMI](/roles/aws/aws_ami) - [AWS Backup](/roles/aws/aws_backup) diff --git a/docs/roles/aws/aws_acl.md b/docs/roles/aws/aws_acl.md new file mode 100644 index 000000000..e61200e38 --- /dev/null +++ b/docs/roles/aws/aws_acl.md @@ -0,0 +1,39 @@ +# AWS ACL +Creates an ACL to be attached to a CloudFront distribution or an Application Load Balancer (ALB). + + + + + +## Default variables +```yaml +--- +rate_limit: 0 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking +aws_acl: + name: example_master_acl + scope: CLOUDFRONT # Can be REGIONAL for ALBs + region: us-east-1 # If scope is set to CLOUDFRONT, region must be us-east-1, even though docs say it will be skipped + tags: {} + + ip_allow: + name: "Allowed-ips" + list: [] + #- 1.1.1.1/32 # list of ip ranges + #- 2.2.2.2/32 + #- 3.3.3.3/32 + + ip_block: + name: "Blocked-ips" + list: [] + #- 4.4.4.4/32 # list of ip ranges + #- 5.5.5.5/32 + #- 6.6.6.6/32 + + cc_block_list: [] + #- BY # Belarus + #- CN # China + #- IR # Iran + #- SA # Saudi Arabia +``` + + diff --git a/roles/aws/aws_acl/README.md b/roles/aws/aws_acl/README.md new file mode 100644 index 000000000..e61200e38 --- /dev/null +++ b/roles/aws/aws_acl/README.md @@ -0,0 +1,39 @@ +# AWS ACL +Creates an ACL to be attached to a CloudFront distribution or an Application Load Balancer (ALB). + + + + + +## Default variables +```yaml +--- +rate_limit: 0 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking +aws_acl: + name: example_master_acl + scope: CLOUDFRONT # Can be REGIONAL for ALBs + region: us-east-1 # If scope is set to CLOUDFRONT, region must be us-east-1, even though docs say it will be skipped + tags: {} + + ip_allow: + name: "Allowed-ips" + list: [] + #- 1.1.1.1/32 # list of ip ranges + #- 2.2.2.2/32 + #- 3.3.3.3/32 + + ip_block: + name: "Blocked-ips" + list: [] + #- 4.4.4.4/32 # list of ip ranges + #- 5.5.5.5/32 + #- 6.6.6.6/32 + + cc_block_list: [] + #- BY # Belarus + #- CN # China + #- IR # Iran + #- SA # Saudi Arabia +``` + + diff --git a/roles/aws/aws_acl/defaults/main.yml b/roles/aws/aws_acl/defaults/main.yml index 8845df2d6..a674711db 100644 --- a/roles/aws/aws_acl/defaults/main.yml +++ b/roles/aws/aws_acl/defaults/main.yml @@ -1,26 +1,27 @@ --- -rate_limit: 200 +rate_limit: 0 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking aws_acl: - name: "dummy_master_acl" - scope: "CLOUDFRONT" # Can be "REGIONAL" for ALBs - region: "us-east-1" # If scope is set to CLOUDFRONT, region must be us-east-1, even though docs say it will be skipped + name: example_master_acl + scope: CLOUDFRONT # Can be REGIONAL for ALBs + region: us-east-1 # If scope is set to CLOUDFRONT, region must be us-east-1, even though docs say it will be skipped + tags: {} ip_allow: name: "Allowed-ips" - list: - - 1.1.1.1/32 - - 2.2.2.2/32 - - 3.3.3.3/32 + list: [] + #- 1.1.1.1/32 # list of ip ranges + #- 2.2.2.2/32 + #- 3.3.3.3/32 ip_block: name: "Blocked-ips" - list: - - 4.4.4.4/32 - - 5.5.5.5/32 - - 6.6.6.6/32 + list: [] + #- 4.4.4.4/32 # list of ip ranges + #- 5.5.5.5/32 + #- 6.6.6.6/32 - cc_block_list: - - BY # Belarus - - CN # China - - IR # Iran - - SA # Saudi Arabia \ No newline at end of file + cc_block_list: [] + #- BY # Belarus + #- CN # China + #- IR # Iran + #- SA # Saudi Arabia \ No newline at end of file diff --git a/roles/aws/aws_acl/tasks/main.yml b/roles/aws/aws_acl/tasks/main.yml index 43ca97338..b957d32ee 100644 --- a/roles/aws/aws_acl/tasks/main.yml +++ b/roles/aws/aws_acl/tasks/main.yml @@ -1,11 +1,13 @@ -- name: Define dict for rules +- name: Define dict for rules. ansible.builtin.set_fact: _acl_rules: [] -- name: Set IP block rule - when: aws_acl.ip_block is defined +- name: Set IP block rule. + when: + - aws_acl.ip_block is defined + - aws_acl.ip_block.list | length > 0 block: - - name: Create IP block set for WAF + - name: Create IP block set for WAF. community.aws.wafv2_ip_set: name: "{{ aws_acl.ip_block.name }}" state: present @@ -16,7 +18,7 @@ addresses: "{{ aws_acl.ip_block.list }}" register: _ip_set_info - - name: Create IP block rule + - name: Create IP block rule. ansible.builtin.set_fact: ip_block_rule: - name: "{{ aws_acl.ip_block.name }}" @@ -31,14 +33,16 @@ ip_set_reference_statement: arn: "{{ _ip_set_info.arn }}" - - name: Add rule to list + - name: Add rule to list. ansible.builtin.set_fact: _acl_rules: "{{ _acl_rules + ip_block_rule }}" -- name: Set IP allow rule - when: aws_acl.ip_allow is defined +- name: Set IP allow rule. + when: + - aws_acl.ip_allow is defined + - aws_acl.ip_allow.list | length > 0 block: - - name: Create IP allow set for WAF + - name: Create IP allow set for WAF. community.aws.wafv2_ip_set: name: "{{ aws_acl.ip_allow.name }}" state: present @@ -49,7 +53,7 @@ addresses: "{{ aws_acl.ip_allow.list }}" register: _ip_set_info - - name: Create IP allow rule + - name: Create IP allow rule. ansible.builtin.set_fact: ip_allow_rule: - name: "{{ aws_acl.ip_allow.name }}" @@ -64,12 +68,14 @@ ip_set_reference_statement: arn: "{{ _ip_set_info.arn }}" - - name: Add rule to list + - name: Add rule to list. ansible.builtin.set_fact: _acl_rules: "{{ _acl_rules + ip_allow_rule }}" -- name: Set country block rule - when: aws_acl.cc_block_list is defined +- name: Set country block rule. + when: + - aws_acl.cc_block_list is defined + - aws_acl.cc_block_list | length > 0 block: - name: Create country block rule ansible.builtin.set_fact: @@ -91,10 +97,12 @@ _acl_rules: "{{ _acl_rules + cc_block_rule }}" # Workaround for rate limit rule in ACL (any variable gets interpreted as string instead of int) -- name: Set rate limit variable - when: rate_limit is defined +- name: Set rate limit variable. + when: + - rate_limit is defined + - rate_limit > 0 block: - - name: Define rate rule + - name: Define rate rule. ansible.builtin.set_fact: rate_rule: - name: rate_limit @@ -110,11 +118,11 @@ limit: "{{ rate_limit }}" aggregate_key_type: IP - - name: Add rule to list + - name: Add rule to list. ansible.builtin.set_fact: _acl_rules: "{{ _acl_rules + rate_rule}}" -- name: Create web acl +- name: Create web acl. community.aws.wafv2_web_acl: name: "{{ aws_acl.name }}" # Member must satisfy regular expression pattern: ^[\\w\\-]+$ description: "WAF protecting the {{ _domain_name }}" @@ -126,9 +134,7 @@ metric_name: test-metric-name # not sure about this name, since each rule also has it's own metrics name (maybe log group name) rules: "{{ _acl_rules }}" purge_rules: true -# tags: -# A: B -# C: D + tags: "{{ aws_acl.tags }}" state: present register: _created_acl From 62b6edd429df23572f943dfa39f89830577b4f55 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Thu, 25 Apr 2024 15:51:17 +0200 Subject: [PATCH 2/3] Docs update. --- docs/roles/aws/aws_cloudfront_distribution.md | 32 +------------------ docs/roles/debian/clamav.md | 2 +- docs/roles/debian/nginx.md | 2 ++ docs/roles/debian/php-fpm.md | 1 + .../aws/aws_cloudfront_distribution/README.md | 32 +------------------ .../tasks/main.yml | 8 ++--- roles/debian/clamav/README.md | 2 +- roles/debian/nginx/README.md | 2 ++ roles/debian/php-fpm/README.md | 1 + 9 files changed, 14 insertions(+), 68 deletions(-) diff --git a/docs/roles/aws/aws_cloudfront_distribution.md b/docs/roles/aws/aws_cloudfront_distribution.md index 63952a71c..f45a01af6 100644 --- a/docs/roles/aws/aws_cloudfront_distribution.md +++ b/docs/roles/aws/aws_cloudfront_distribution.md @@ -7,32 +7,6 @@ Creates a new AWS CloudFront distribution (CDN) for content delivery. ## Default variables ```yaml --- -# Uncomment cf_acl to create firewall rules for Cloudfront distro -#rate_limit: 600 # rate_limit needs to be standalone variable to avoid casting issues (it will be considrate as string instead of int) -#cf_acl: -# acl_name: "dummy_master_acl" -# scope: "CLOUDFRONT" # Can be "REGIONAL" -# region: "us-east-1" # If scope is set to CLOUDFRONT, region must be us-east-1, even though docs say it will be skipped -# -# ip_allow -# name: "Allowed-ips" -# list: -# - 1.1.1.1/32 -# - 2.2.2.2/32 -# - 3.3.3.3/32 -# -# ip_block: -# name: "Blocked-ips" -# list: -# - 4.4.4.4/32 -# - 5.5.5.5/32 -# - 6.6.6.6/32 -# -# cc_block_list: -# - BY # Belarus -# - CN # China -# - IR # Iran -# - SA # Saudi Arabia aws_cloudfront_distribution: aws_profile: "{{ _aws_profile }}" region: "{{ _aws_region }}" @@ -95,11 +69,7 @@ aws_cloudfront_distribution: cache_behaviors: [] # A list of cache behaviors same as default_cache_behavior with additional path_pattern var required. enabled: true purge_existing: true # Set to false to append entries instead of replacing them. -# logging: -# bucket: "" # URL of S3 bucket to store logs -# enabled: false # Set true to allow logging -# include_cookies: false # Set true to add cookies in logs -# prefix: "" # Prefix for S3 object names + ``` diff --git a/docs/roles/debian/clamav.md b/docs/roles/debian/clamav.md index 6bc18e398..4529ab043 100644 --- a/docs/roles/debian/clamav.md +++ b/docs/roles/debian/clamav.md @@ -21,7 +21,7 @@ clamav: log_name: clamav_daily.log # scheduled scans, set to an empty dictionary for no timers timers: - clamav_scan: + clamscan_daily: timer_command: /usr/local/clamav/script/clamscan_daily # path to clamscan wrapper script, ensure it is defined in clamav.scripts timer_OnCalendar: "*-*-* 02:30:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events server_name: "{{ inventory_hostname }}" # for identification via email, defaults to Ansible inventory name. diff --git a/docs/roles/debian/nginx.md b/docs/roles/debian/nginx.md index 08130a46c..1890f2f3b 100644 --- a/docs/roles/debian/nginx.md +++ b/docs/roles/debian/nginx.md @@ -52,6 +52,8 @@ nginx: client_body_buffer_size: 512k fastcgi_buffer_size: 512k fastcgi_buffers: "8 256k" + cache_behavior_private: "add_header Cache-Control \"private, max-age=604800\"" + cache_behavior_public: "add_header Cache-Control \"public, max-age=604800\"" # You can inject custom directives into the main nginx.conf file here by providing them as a list of strings. #custom_directives: [] # Group prefix. Useful for grouping by environments. diff --git a/docs/roles/debian/php-fpm.md b/docs/roles/debian/php-fpm.md index b9c0edbd7..94a687ac4 100644 --- a/docs/roles/debian/php-fpm.md +++ b/docs/roles/debian/php-fpm.md @@ -61,6 +61,7 @@ php: memory_consumption: 128 max_accelerated_files: 2000 validate_timestamps: 1 + clear_env: "yes" ``` diff --git a/roles/aws/aws_cloudfront_distribution/README.md b/roles/aws/aws_cloudfront_distribution/README.md index 63952a71c..f45a01af6 100644 --- a/roles/aws/aws_cloudfront_distribution/README.md +++ b/roles/aws/aws_cloudfront_distribution/README.md @@ -7,32 +7,6 @@ Creates a new AWS CloudFront distribution (CDN) for content delivery. ## Default variables ```yaml --- -# Uncomment cf_acl to create firewall rules for Cloudfront distro -#rate_limit: 600 # rate_limit needs to be standalone variable to avoid casting issues (it will be considrate as string instead of int) -#cf_acl: -# acl_name: "dummy_master_acl" -# scope: "CLOUDFRONT" # Can be "REGIONAL" -# region: "us-east-1" # If scope is set to CLOUDFRONT, region must be us-east-1, even though docs say it will be skipped -# -# ip_allow -# name: "Allowed-ips" -# list: -# - 1.1.1.1/32 -# - 2.2.2.2/32 -# - 3.3.3.3/32 -# -# ip_block: -# name: "Blocked-ips" -# list: -# - 4.4.4.4/32 -# - 5.5.5.5/32 -# - 6.6.6.6/32 -# -# cc_block_list: -# - BY # Belarus -# - CN # China -# - IR # Iran -# - SA # Saudi Arabia aws_cloudfront_distribution: aws_profile: "{{ _aws_profile }}" region: "{{ _aws_region }}" @@ -95,11 +69,7 @@ aws_cloudfront_distribution: cache_behaviors: [] # A list of cache behaviors same as default_cache_behavior with additional path_pattern var required. enabled: true purge_existing: true # Set to false to append entries instead of replacing them. -# logging: -# bucket: "" # URL of S3 bucket to store logs -# enabled: false # Set true to allow logging -# include_cookies: false # Set true to add cookies in logs -# prefix: "" # Prefix for S3 object names + ``` diff --git a/roles/aws/aws_cloudfront_distribution/tasks/main.yml b/roles/aws/aws_cloudfront_distribution/tasks/main.yml index 4613e23f2..8fae00293 100644 --- a/roles/aws/aws_cloudfront_distribution/tasks/main.yml +++ b/roles/aws/aws_cloudfront_distribution/tasks/main.yml @@ -1,5 +1,5 @@ --- -- name: Create web acl if defined +- name: Create web acl if defined. ansible.builtin.include_role: name: aws/aws_acl when: @@ -7,19 +7,19 @@ - aws_acl.scope == 'CLOUDFRONT' # Creating bucket for CF logging -- name: Create S3 bucket if it does not exist +- name: Create S3 bucket if it does not exist. amazon.aws.s3_bucket: name: "{{ _domain_name }}-cf-log" state: present object_ownership: "BucketOwnerPreferred" -- name: Create S3 bucket prefix +- name: Create S3 bucket prefix. amazon.aws.s3_object: bucket: "{{ _domain_name }}-cf-log" object: "cf-logging/" mode: "create" -- name: Creating dictionary for CF logging +- name: Creating dictionary for CF logging. ansible.builtin.set_fact: _cf_s3_log: bucket: "{{ _domain_name }}-cf-log.s3.amazonaws.com" # URL of S3 bucket to store logs diff --git a/roles/debian/clamav/README.md b/roles/debian/clamav/README.md index 6bc18e398..4529ab043 100644 --- a/roles/debian/clamav/README.md +++ b/roles/debian/clamav/README.md @@ -21,7 +21,7 @@ clamav: log_name: clamav_daily.log # scheduled scans, set to an empty dictionary for no timers timers: - clamav_scan: + clamscan_daily: timer_command: /usr/local/clamav/script/clamscan_daily # path to clamscan wrapper script, ensure it is defined in clamav.scripts timer_OnCalendar: "*-*-* 02:30:00" # see systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events server_name: "{{ inventory_hostname }}" # for identification via email, defaults to Ansible inventory name. diff --git a/roles/debian/nginx/README.md b/roles/debian/nginx/README.md index 08130a46c..1890f2f3b 100644 --- a/roles/debian/nginx/README.md +++ b/roles/debian/nginx/README.md @@ -52,6 +52,8 @@ nginx: client_body_buffer_size: 512k fastcgi_buffer_size: 512k fastcgi_buffers: "8 256k" + cache_behavior_private: "add_header Cache-Control \"private, max-age=604800\"" + cache_behavior_public: "add_header Cache-Control \"public, max-age=604800\"" # You can inject custom directives into the main nginx.conf file here by providing them as a list of strings. #custom_directives: [] # Group prefix. Useful for grouping by environments. diff --git a/roles/debian/php-fpm/README.md b/roles/debian/php-fpm/README.md index b9c0edbd7..94a687ac4 100644 --- a/roles/debian/php-fpm/README.md +++ b/roles/debian/php-fpm/README.md @@ -61,6 +61,7 @@ php: memory_consumption: 128 max_accelerated_files: 2000 validate_timestamps: 1 + clear_env: "yes" ``` From 4d81fc563de3f6cffe71ec703d90691c88e2b40a Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Thu, 25 Apr 2024 16:17:22 +0200 Subject: [PATCH 3/3] Punctuation fix! --- roles/aws/aws_acl/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/aws/aws_acl/tasks/main.yml b/roles/aws/aws_acl/tasks/main.yml index b957d32ee..08968c719 100644 --- a/roles/aws/aws_acl/tasks/main.yml +++ b/roles/aws/aws_acl/tasks/main.yml @@ -138,7 +138,7 @@ state: present register: _created_acl -- name: Add WAF to ALB +- name: Add WAF to ALB. community.aws.wafv2_resources: name: "{{ aws_acl.name }}" scope: REGIONAL