codeenigma · gregharvey · Jun 7, 2024 · May 29, 2024 · May 29, 2024 · May 29, 2024
diff --git a/roles/aws/aws_acl/README.md b/roles/aws/aws_acl/README.md
@@ -5,7 +5,7 @@ Creates an ACL to be attached to a CloudFront distribution or an Application Loa
 <!--ENDTOC-->
 
 <!--ROLEVARS-->
-## Default variables
+## Default variables for creation of ACL (pass it as a list)
 ```yaml
 ---
 aws_acl:
@@ -15,33 +15,101 @@ aws_acl:
     region: "us-east-1"
     tags: {}
     rules:
-      rate_limit: 200 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking
-      botControl: "COMMON" # or set to TARGETED inspection level (comment out to avoid addign rule)
-
+      rate_limit:
+        value: 200 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking
+        priority: 2
       ip_sets:
-        - name: "Allowed-ips-example"
+        - name: "Allowed-ips"
           action: allow
-          list: []
+          priority: 1
+          list: [] # If the list is empty, ip set won't be recreated
             #- 1.1.1.1/32 # list of ip ranges
             #- 2.2.2.2/32
             #- 3.3.3.3/32
-        - name: "Blocked-ips-example"
+        - name: "Blocked-ips"
           action: block
-          list: []
+          priority: 0
+          list: [] # If the list is empty, ip set won't be recreated
             #- 4.4.4.4/32 # list of ip ranges
             #- 5.5.5.5/32
             #- 6.6.6.6/32
-
-      cc_block_list: []
-
+      country_codes:
+        - name: "allowed-countries"
+          action: allow
+          priority: 7
+          list:
+            - GB
+            - HR
+        - name: "blocked-countries"
+          action: block
+          priority: 8
+          list:
+            - RU
+            - CN
       regular_rules:
         - name: allow_panels
           action: allow
-          string: "panels/ajax"
-          position: "CONTAINS"
-
-#      cyber_sec: #Need to implement task
+          statements_type: "single" # supported "and", "or" and "not" ("and" and "or" supports multiple statements)
+          priority: 4
+          statements:
+            - inspect: "UriPath" # Aslo supported: "SingleHeader"
+              position: "CONTAINS"
+              string: "panels/ajax"
+              text_trans: "NONE"
+        - name: block_bots
+          action: block
+          statements_type: "or" # supported "and", "or" and "not" ("and" and "or" supports multiple statements)
+          priority: 5
+          statements:
+            - inspect: "SingleHeader" # Aslo supported: "SingleHeader"
+              position: "CONTAINS"
+              string: "spider"
+              text_trans: "LOWERCASE"
+            - inspect: "SingleHeader" # Aslo supported: "SingleHeader"
+              position: "CONTAINS"
+              string: "bot"
+              text_trans: "LOWERCASE"
+            - inspect: "SingleHeader" # Aslo supported: "SingleHeader"
+              position: "CONTAINS"
+              string: "crawl"
+              text_trans: "LOWERCASE"
+      # AWS Managed rules
+      bot_control:
+        target: "COMMON" # or set to TARGETED inspection level (comment out to avoid addign rule)
+        priority: 3
+      cyber_sec:
+        enabled: true # Need to subscribe first in AWS
+        rule_list: []
+        priority: 6
+      amazon_ip_reputation:
+        enabled: true
+        rule_list: []
+        priority: 9
+      common_rule_set:
+        enabled: true
+        rule_list: []
+        priority: 10
+      php_rule_set:
+        enabled: true
+        rule_list: []
+        priority: 11
+      known_bad_inputs:
+        enabled: true
+        rule_list: []
+        priority: 12
+      anonymous_ip_list:
+        enabled: true
+        rule_list: []
+        priority: 13
+```
 
+## Default variables for assigning ACL to CF or ALB
+```yaml
+---
+aws_acl:
+  name: example_master_acl # Name of the ACL to apply
+  scope: CLOUDFRONT # Can be REGIONAL for ALBs
+  region: "us-east-1"
 ```
 
 <!--ENDROLEVARS-->
diff --git a/roles/aws/aws_acl/defaults/main.yml b/roles/aws/aws_acl/defaults/main.yml
@@ -6,29 +6,90 @@ aws_acl:
     region: "us-east-1"
     tags: {}
     rules:
-      rate_limit: 200 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking
-      botControl: "COMMON" # or set to TARGETED inspection level (comment out to avoid addign rule)
-
+      rate_limit:
+        value: 200 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking
+        priority: 2
       ip_sets:
-        - name: "Allowed-ips-example"
+        - name: "Allowed-ips"
           action: allow
-          list: []
+          priority: 1
+          list: [] # If the list is empty, ip set won't be recreated
             #- 1.1.1.1/32 # list of ip ranges
             #- 2.2.2.2/32
             #- 3.3.3.3/32
-        - name: "Blocked-ips-example"
+        - name: "Blocked-ips"
           action: block
-          list: []
+          priority: 0
+          list: [] # If the list is empty, ip set won't be recreated
             #- 4.4.4.4/32 # list of ip ranges
             #- 5.5.5.5/32
             #- 6.6.6.6/32
-
-      cc_block_list: []
-
+      country_codes:
+        - name: "allowed-countries"
+          action: allow
+          priority: 7
+          list:
+            - GB
+            - HR
+        - name: "blocked-countries"
+          action: block
+          priority: 8
+          list:
+            - RU
+            - CN
       regular_rules:
         - name: allow_panels
           action: allow
-          string: "panels/ajax"
-          position: "CONTAINS"
-
-#      cyber_sec: #Need to implement task
+          statements_type: "single" # supported "and", "or" and "not" ("and" and "or" supports multiple statements)
+          priority: 4
+          statements:
+            - inspect: "UriPath" # Aslo supported: "SingleHeader"
+              position: "CONTAINS"
+              string: "panels/ajax"
+              text_trans: "NONE"
+        - name: block_bots
+          action: block
+          statements_type: "or" # supported "and", "or" and "not" ("and" and "or" supports multiple statements)
+          priority: 5
+          statements:
+            - inspect: "SingleHeader" # Aslo supported: "SingleHeader"
+              position: "CONTAINS"
+              string: "spider"
+              text_trans: "LOWERCASE"
+            - inspect: "SingleHeader" # Aslo supported: "SingleHeader"
+              position: "CONTAINS"
+              string: "bot"
+              text_trans: "LOWERCASE"
+            - inspect: "SingleHeader" # Aslo supported: "SingleHeader"
+              position: "CONTAINS"
+              string: "crawl"
+              text_trans: "LOWERCASE"
+      # Managed rules list
+      bot_control:
+        enabled: false
+        target: "COMMON" # or set to TARGETED inspection level (comment out to avoid addign rule)
+        priority: 3
+      cyber_sec:
+        enabled: false # Need to subscribe first in AWS
+        rule_list: []
+        priority: 6
+      amazon_ip_reputation:
+        enabled: false
+        rule_list: []
+        priority: 9
+      common_rule_set:
+        enabled: false
+        rule_list: []
+        priority: 10
+      php_rule_set:
+        enabled: false
+        rule_list: []
+        priority: 11
+      known_bad_inputs:
+        enabled: false
+        rule_list: []
+        priority: 12
+      anonymous_ip_list:
+        enabled: false
+        rule_list: []
+        priority: 13
diff --git a/roles/aws/aws_acl/tasks/amazon_ip_reputation.yml b/roles/aws/aws_acl/tasks/amazon_ip_reputation.yml
@@ -0,0 +1,32 @@
+---
+- name: Create amazon ip reputation rule
+  ansible.builtin.set_fact:
+    amazon_ip_reputation:
+      name: "AWS-AWSManagedRulesAmazonIpReputationList"
+      override_action:
+        none: {}
+      visibility_config:
+        sampled_requests_enabled: true
+        cloud_watch_metrics_enabled: true
+        metric_name: "AWS-AWSManagedRulesAmazonIpReputationList"
+      statement:
+        managed_rule_group_statement:
+          vendor_name: "AWS"
+          name: "AWSManagedRulesAmazonIpReputationList"
+          rule_action_overrides:
+            - name: "AWSManagedIPDDoSList"
+              action_to_use:
+                challenge: {}
+
+- name: Set priority.
+  ansible.builtin.include_tasks: set_priority_dict.yml
+  vars:
+    _priority: "{{ _acl.rules.amazon_ip_reputation.priority }}"
+
+- name: Append priority to rule.
+  ansible.builtin.set_fact:
+    amazon_ip_reputation: "{{ amazon_ip_reputation | combine(_priority_dict) }}"
+
+- name: Add rule to list
+  ansible.builtin.set_fact:
+    _rules: "{{ _rules + [amazon_ip_reputation] }}"
diff --git a/roles/aws/aws_acl/tasks/anonymous_ip_list.yml b/roles/aws/aws_acl/tasks/anonymous_ip_list.yml
@@ -0,0 +1,35 @@
+---
+- name: Create anonymous ip list rule
+  ansible.builtin.set_fact:
+    anonymous_ip_list:
+      name: "AWS-AWSManagedRulesAnonymousIpList"
+      override_action:
+        none: {}
+      visibility_config:
+        sampled_requests_enabled: true
+        cloud_watch_metrics_enabled: true
+        metric_name: "AWS-AWSManagedRulesAnonymousIpList"
+      statement:
+        managed_rule_group_statement:
+          vendor_name: "AWS"
+          name: "AWSManagedRulesAnonymousIpList"
+          rule_action_overrides:
+            - name: "AnonymousIPList"
+              action_to_use:
+                challenge: {}
+            - name: "HostingProviderIPList"
+              action_to_use:
+                captcha: {}
+
+- name: Set priority.
+  ansible.builtin.include_tasks: set_priority_dict.yml
+  vars:
+    _priority: "{{ _acl.rules.anonymous_ip_list.priority }}"
+
+- name: Append priority to rule.
+  ansible.builtin.set_fact:
+    anonymous_ip_list: "{{ anonymous_ip_list | combine(_priority_dict) }}"
+
+- name: Add rule to list
+  ansible.builtin.set_fact:
+    _rules: "{{ _rules + [anonymous_ip_list] }}"
diff --git a/roles/aws/aws_acl/tasks/bot_control.yml b/roles/aws/aws_acl/tasks/bot_control.yml
@@ -71,7 +71,7 @@
             inspection_level: "COMMON"
 
 - name: Define targeted actions rules
-  when: _acl.rules.botControl == "TARGETED"
+  when: _acl.rules.botControl.target == "TARGETED"
   block:
     - name: Define targeted actions
       ansible.builtin.set_fact:
@@ -111,7 +111,7 @@
 
 - name: Define Bot Control rule.
   ansible.builtin.set_fact:
-    bot_control:
+    bot_control_rule:
       name: bot_control
       override_action:
         none: {}
@@ -126,13 +126,15 @@
           managed_rule_group_configs: "{{ _rule_config }}"
           rule_action_overrides: "{{ _action_rules }}"
 
+- name: Set priority.
+  ansible.builtin.include_tasks: set_priority_dict.yml
+  vars:
+    _priority: "{{ bot_control.priority }}"
+
 - name: Append priority to rule.
   ansible.builtin.set_fact:
-    bot_control: "{{ bot_control | combine(_priority_dict) }}"
+    bot_control_rule: "{{ bot_control_rule | combine(_priority_dict) }}"
 
 - name: Add rule to list.
   ansible.builtin.set_fact:
-    _rules: "{{ _rules + [bot_control] }}"
-
-- name: Increase priority.
-  ansible.builtin.include_tasks: increase_priority.yml
+    _rules: "{{ _rules + [bot_control_rule] }}"
diff --git a/roles/aws/aws_acl/tasks/cc_rules.yml b/roles/aws/aws_acl/tasks/cc_rules.yml
@@ -0,0 +1,30 @@
+---
+- name: Set action string
+  ansible.builtin.set_fact:
+    _action: "{ {{ _cc_set.action }}: {} }"
+
+- name: Create country block rule
+  ansible.builtin.set_fact:
+    cc_rule:
+      name: "{{ _cc_set.name }}"
+      action: "{{ _action | from_yaml }}"
+      visibility_config:
+        sampled_requests_enabled: true
+        cloud_watch_metrics_enabled: true
+        metric_name: "{{ _cc_set.name }}"
+      statement:
+        geo_match_statement:
+          country_codes: "{{ _cc_set.list }}"
+
+- name: Set priority.
+  ansible.builtin.include_tasks: set_priority_dict.yml
+  vars:
+    _priority: "{{ _cc_set.priority }}"
+
+- name: Append priority to rule.
+  ansible.builtin.set_fact:
+    cc_rule: "{{ cc_rule | combine(_priority_dict) }}"
+
+- name: Add rule to list
+  ansible.builtin.set_fact:
+    _rules: "{{ _rules + [cc_rule] }}"
diff --git a/roles/aws/aws_acl/tasks/common_rule_set.yml b/roles/aws/aws_acl/tasks/common_rule_set.yml
@@ -0,0 +1,28 @@
+---
+- name: Create common rule set rule
+  ansible.builtin.set_fact:
+    common_rule_set:
+      name: "AWS-AWSManagedRulesCommonRuleSet"
+      override_action:
+        none: {}
+      visibility_config:
+        sampled_requests_enabled: true
+        cloud_watch_metrics_enabled: true
+        metric_name: "AWS-AWSManagedRulesCommonRuleSet"
+      statement:
+        managed_rule_group_statement:
+          vendor_name: "AWS"
+          name: "AWSManagedRulesCommonRuleSet"
+
+- name: Set priority.
+  ansible.builtin.include_tasks: set_priority_dict.yml
+  vars:
+    _priority: "{{ _acl.rules.common_rule_set.priority }}"
+
+- name: Append priority to rule.
+  ansible.builtin.set_fact:
+    common_rule_set: "{{ common_rule_set | combine(_priority_dict) }}"
+
+- name: Add rule to list
+  ansible.builtin.set_fact:
+    _rules: "{{ _rules + [common_rule_set] }}"