Terraform WAF Web ACL 资源没用?
Terraform WAF Web ACL Resource is useless?
Terraform 提供了 WAF Web ACL Resource。它可以附加到任何使用 terraform 的东西,例如 ALB 还是没用?
随着 1.12 AWS provider 的发布,现在可以直接创建用于负载均衡器的区域 WAF 资源。
您现在可以创建任何 aws_wafregional_byte_match_set, aws_wafregional_ipset, aws_wafregional_size_constraint_set, aws_wafregional_sql_injection_match_set or aws_wafregional_xss_match_set, linking these to aws_wafregional_rule as predicates and then in turn adding the WAF rules to a aws_wafregional_web_acl. Then finally you can attach the regional WAF to a load balancer with the aws_wafregional_web_acl_association resource。
区域 WAF Web ACL 关联资源文档提供了有用的 example 它们如何 link 在一起:
resource "aws_wafregional_ipset" "ipset" {
name = "tfIPSet"
ip_set_descriptor {
type = "IPV4"
value = "192.0.7.0/24"
}
}
resource "aws_wafregional_rule" "foo" {
name = "tfWAFRule"
metric_name = "tfWAFRule"
predicate {
data_id = "${aws_wafregional_ipset.ipset.id}"
negated = false
type = "IPMatch"
}
}
resource "aws_wafregional_web_acl" "foo" {
name = "foo"
metric_name = "foo"
default_action {
type = "ALLOW"
}
rule {
action {
type = "BLOCK"
}
priority = 1
rule_id = "${aws_wafregional_rule.foo.id}"
}
}
resource "aws_vpc" "foo" {
cidr_block = "10.1.0.0/16"
}
data "aws_availability_zones" "available" {}
resource "aws_subnet" "foo" {
vpc_id = "${aws_vpc.foo.id}"
cidr_block = "10.1.1.0/24"
availability_zone = "${data.aws_availability_zones.available.names[0]}"
}
resource "aws_subnet" "bar" {
vpc_id = "${aws_vpc.foo.id}"
cidr_block = "10.1.2.0/24"
availability_zone = "${data.aws_availability_zones.available.names[1]}"
}
resource "aws_alb" "foo" {
internal = true
subnets = ["${aws_subnet.foo.id}", "${aws_subnet.bar.id}"]
}
resource "aws_wafregional_web_acl_association" "foo" {
resource_arn = "${aws_alb.foo.arn}"
web_acl_id = "${aws_wafregional_web_acl.foo.id}"
}
原文post:
区域 WAF 资源已陷入审查和人们放弃拉取请求的混合状态,但已安排在 AWS provider 1.12.0 release。
目前只有 byte match set and IP address set 可用资源,因此如果没有规则、ACL 和关联资源来实际执行操作,它们就没有多大用处。
在那之前,您可以将 CloudFormation 与 Terraform 自己的逃生舱口 aws_cloudformation_stack resource 一起使用,如下所示:
resource "aws_lb" "load_balancer" {
...
}
resource "aws_cloudformation_stack" "waf" {
name = "waf-example"
parameters {
ALBArn = "${aws_lb.load_balancer.arn}"
}
template_body = <<STACK
Parameters:
ALBArn:
Type: String
Resources:
WAF:
Type: AWS::WAFRegional::WebACL
Properties:
Name: WAF-Example
DefaultAction:
Type: BLOCK
MetricName: WafExample
Rules:
- Action:
Type: ALLOW
Priority: 2
RuleId:
Ref: WhitelistRule
WhitelistRule:
Type: AWS::WAFRegional::Rule
Properties:
Name: WAF-Example-Whitelist
MetricName: WafExampleWhiteList
Predicates:
- DataId:
Ref: ExternalAPIURI
Negated: false
Type: ByteMatch
ExternalAPIURI:
Type: AWS::WAFRegional::ByteMatchSet
Properties:
Name: WAF-Example-StringMatch
ByteMatchTuples:
- FieldToMatch:
Type: URI
PositionalConstraint: STARTS_WITH
TargetString: /public/
TextTransformation: NONE
WAFALBattachment:
Type: AWS::WAFRegional::WebACLAssociation
Properties:
ResourceArn:
Ref: ALBArn
WebACLId:
Ref: WAF
STACK
}
Terraform 提供了 WAF Web ACL Resource。它可以附加到任何使用 terraform 的东西,例如 ALB 还是没用?
随着 1.12 AWS provider 的发布,现在可以直接创建用于负载均衡器的区域 WAF 资源。
您现在可以创建任何 aws_wafregional_byte_match_set, aws_wafregional_ipset, aws_wafregional_size_constraint_set, aws_wafregional_sql_injection_match_set or aws_wafregional_xss_match_set, linking these to aws_wafregional_rule as predicates and then in turn adding the WAF rules to a aws_wafregional_web_acl. Then finally you can attach the regional WAF to a load balancer with the aws_wafregional_web_acl_association resource。
区域 WAF Web ACL 关联资源文档提供了有用的 example 它们如何 link 在一起:
resource "aws_wafregional_ipset" "ipset" {
name = "tfIPSet"
ip_set_descriptor {
type = "IPV4"
value = "192.0.7.0/24"
}
}
resource "aws_wafregional_rule" "foo" {
name = "tfWAFRule"
metric_name = "tfWAFRule"
predicate {
data_id = "${aws_wafregional_ipset.ipset.id}"
negated = false
type = "IPMatch"
}
}
resource "aws_wafregional_web_acl" "foo" {
name = "foo"
metric_name = "foo"
default_action {
type = "ALLOW"
}
rule {
action {
type = "BLOCK"
}
priority = 1
rule_id = "${aws_wafregional_rule.foo.id}"
}
}
resource "aws_vpc" "foo" {
cidr_block = "10.1.0.0/16"
}
data "aws_availability_zones" "available" {}
resource "aws_subnet" "foo" {
vpc_id = "${aws_vpc.foo.id}"
cidr_block = "10.1.1.0/24"
availability_zone = "${data.aws_availability_zones.available.names[0]}"
}
resource "aws_subnet" "bar" {
vpc_id = "${aws_vpc.foo.id}"
cidr_block = "10.1.2.0/24"
availability_zone = "${data.aws_availability_zones.available.names[1]}"
}
resource "aws_alb" "foo" {
internal = true
subnets = ["${aws_subnet.foo.id}", "${aws_subnet.bar.id}"]
}
resource "aws_wafregional_web_acl_association" "foo" {
resource_arn = "${aws_alb.foo.arn}"
web_acl_id = "${aws_wafregional_web_acl.foo.id}"
}
原文post:
区域 WAF 资源已陷入审查和人们放弃拉取请求的混合状态,但已安排在 AWS provider 1.12.0 release。
目前只有 byte match set and IP address set 可用资源,因此如果没有规则、ACL 和关联资源来实际执行操作,它们就没有多大用处。
在那之前,您可以将 CloudFormation 与 Terraform 自己的逃生舱口 aws_cloudformation_stack resource 一起使用,如下所示:
resource "aws_lb" "load_balancer" {
...
}
resource "aws_cloudformation_stack" "waf" {
name = "waf-example"
parameters {
ALBArn = "${aws_lb.load_balancer.arn}"
}
template_body = <<STACK
Parameters:
ALBArn:
Type: String
Resources:
WAF:
Type: AWS::WAFRegional::WebACL
Properties:
Name: WAF-Example
DefaultAction:
Type: BLOCK
MetricName: WafExample
Rules:
- Action:
Type: ALLOW
Priority: 2
RuleId:
Ref: WhitelistRule
WhitelistRule:
Type: AWS::WAFRegional::Rule
Properties:
Name: WAF-Example-Whitelist
MetricName: WafExampleWhiteList
Predicates:
- DataId:
Ref: ExternalAPIURI
Negated: false
Type: ByteMatch
ExternalAPIURI:
Type: AWS::WAFRegional::ByteMatchSet
Properties:
Name: WAF-Example-StringMatch
ByteMatchTuples:
- FieldToMatch:
Type: URI
PositionalConstraint: STARTS_WITH
TargetString: /public/
TextTransformation: NONE
WAFALBattachment:
Type: AWS::WAFRegional::WebACLAssociation
Properties:
ResourceArn:
Ref: ALBArn
WebACLId:
Ref: WAF
STACK
}