[英]Terraform WAF Web ACL Resource is useless?
Terraform provides a WAF Web ACL Resource
. Terraform提供了
WAF Web ACL Resource
。 Can it be attached to anything using terraform such as an ALB or is it useless? 可以将其附加到使用地形的任何内容(例如ALB)上还是无效?
With the release of the 1.12 AWS provider it is now possible to directly create regional WAF resources for use with load balancers. 随着1.12 AWS提供程序的发布,现在可以直接创建用于负载均衡器的区域WAF资源。
You can now create any of a aws_wafregional_byte_match_set
, aws_wafregional_ipset
, aws_wafregional_size_constraint_set
, aws_wafregional_sql_injection_match_set
or aws_wafregional_xss_match_set
, linking these to aws_wafregional_rule
as predicates and then in turn adding the WAF rules to a aws_wafregional_web_acl
. 现在,您可以创建任何一个的
aws_wafregional_byte_match_set
, aws_wafregional_ipset
, aws_wafregional_size_constraint_set
, aws_wafregional_sql_injection_match_set
或aws_wafregional_xss_match_set
,连接这些到aws_wafregional_rule
谓语,然后依次加入WAF规则,以一个aws_wafregional_web_acl
。 Then finally you can attach the regional WAF to a load balancer with the aws_wafregional_web_acl_association
resource . 最后,您可以使用
aws_wafregional_web_acl_association
资源将区域WAF附加到负载均衡器。
The Regional WAF Web ACL association resource docs give a helpful example of how they all link together: 区域WAF Web ACL关联资源文档提供了一个有用的示例 ,说明了它们如何链接在一起:
resource "aws_wafregional_ipset" "ipset" {
name = "tfIPSet"
ip_set_descriptor {
type = "IPV4"
value = "192.0.7.0/24"
}
}
resource "aws_wafregional_rule" "foo" {
name = "tfWAFRule"
metric_name = "tfWAFRule"
predicate {
data_id = "${aws_wafregional_ipset.ipset.id}"
negated = false
type = "IPMatch"
}
}
resource "aws_wafregional_web_acl" "foo" {
name = "foo"
metric_name = "foo"
default_action {
type = "ALLOW"
}
rule {
action {
type = "BLOCK"
}
priority = 1
rule_id = "${aws_wafregional_rule.foo.id}"
}
}
resource "aws_vpc" "foo" {
cidr_block = "10.1.0.0/16"
}
data "aws_availability_zones" "available" {}
resource "aws_subnet" "foo" {
vpc_id = "${aws_vpc.foo.id}"
cidr_block = "10.1.1.0/24"
availability_zone = "${data.aws_availability_zones.available.names[0]}"
}
resource "aws_subnet" "bar" {
vpc_id = "${aws_vpc.foo.id}"
cidr_block = "10.1.2.0/24"
availability_zone = "${data.aws_availability_zones.available.names[1]}"
}
resource "aws_alb" "foo" {
internal = true
subnets = ["${aws_subnet.foo.id}", "${aws_subnet.bar.id}"]
}
resource "aws_wafregional_web_acl_association" "foo" {
resource_arn = "${aws_alb.foo.arn}"
web_acl_id = "${aws_wafregional_web_acl.foo.id}"
}
The regional WAF resources have been caught up in a mixture of review and people abandoning pull requests but are scheduled for the AWS provider 1.12.0 release . 区域WAF资源在审查和人们放弃拉取请求的混合过程中陷入困境,但计划在AWS提供程序1.12.0版本中使用 。
Currently there are only byte match set and IP address set resources available so they're not much use without the rule, ACL and association resources to actually do things with. 当前,只有字节匹配集和IP地址集资源可用,因此,如果没有规则,ACL和关联资源来实际执行操作,它们就没有太大用处。
Until then you could use CloudFormation with Terraform's own escape hatch aws_cloudformation_stack
resource with something like this: 在此之前,您可以将CloudFormation与Terraform自己的逃生舱口
aws_cloudformation_stack
资源一起使用,如下所示:
resource "aws_lb" "load_balancer" {
...
}
resource "aws_cloudformation_stack" "waf" {
name = "waf-example"
parameters {
ALBArn = "${aws_lb.load_balancer.arn}"
}
template_body = <<STACK
Parameters:
ALBArn:
Type: String
Resources:
WAF:
Type: AWS::WAFRegional::WebACL
Properties:
Name: WAF-Example
DefaultAction:
Type: BLOCK
MetricName: WafExample
Rules:
- Action:
Type: ALLOW
Priority: 2
RuleId:
Ref: WhitelistRule
WhitelistRule:
Type: AWS::WAFRegional::Rule
Properties:
Name: WAF-Example-Whitelist
MetricName: WafExampleWhiteList
Predicates:
- DataId:
Ref: ExternalAPIURI
Negated: false
Type: ByteMatch
ExternalAPIURI:
Type: AWS::WAFRegional::ByteMatchSet
Properties:
Name: WAF-Example-StringMatch
ByteMatchTuples:
- FieldToMatch:
Type: URI
PositionalConstraint: STARTS_WITH
TargetString: /public/
TextTransformation: NONE
WAFALBattachment:
Type: AWS::WAFRegional::WebACLAssociation
Properties:
ResourceArn:
Ref: ALBArn
WebACLId:
Ref: WAF
STACK
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.