堆栈内存溢出
  简体   繁体   English

努力实现 terraform WAF 的自动化

[英]Struggling to automate terraform WAF

 原文  2018-03-19 18:44:27       amazon-web-services/ terraform/ cidr

问题描述

I'm trying to terraform WAF ACL and associated rules.我正在尝试改造 WAF ACL 和相关规则。 The terraform stack I'm working on is identical in DEV, QA , and PROD, differences are all handled using different variables.我正在处理的 terraform 堆栈在 DEV、QA 和 PROD 中是相同的,差异都使用不同的变量处理。 So my idea is to store a list of CIDRs in a variable, and automatically create ALLOW rules for each.所以我的想法是将 CIDR 列表存储在一个变量中,并自动为每个创建 ALLOW 规则。 My limited knowledge is slowing me down though.不过,我有限的知识正在减慢我的速度。 It creates the ipsets perfectly, but the rules and ACL complain,它完美地创建了 ipset,但规则和 ACL 抱怨,

variable cloud_allowed_cidr_list = {type="list" default=["1.2.3.4/32","4.3.2.1/32"]}

resource "aws_waf_ipset" "ipset" {
  count = "${length(var.cloud_allowed_cidr_list)}"
  name = "ipset-${count.index}"

  ip_set_descriptors {
    type  = "IPV4"
    value = "${element(var.cloud_allowed_cidr_list, count.index)}"
  }
}


resource "aws_waf_rule" "matchIPrule" {
  count = "${length(var.cloud_allowed_cidr_list)}"
  depends_on  = ["aws_waf_ipset.ipset"]
  name        = "matchMancIPrule${count.index}"
  metric_name = "matchMancIPrule${count.index}"

  predicates {
    data_id = "${aws_waf_ipset.ipset.*.id}"
    negated = false
    type    = "IPMatch"
  }
}


resource "aws_waf_web_acl" "waf_acl" {
  depends_on  = ["aws_waf_ipset.ipset", "aws_waf_rule.matchIPrule"]
  name        = "mancACL${count.index}"
  metric_name = "mancACL${count.index}"

  default_action {
    type = "BLOCK"
  }

  rules {
    action {
      type = "ALLOW"
    }

    priority = "${count.index}"
    rule_id  = "${aws_waf_rule.matchIPrule.id}"
    type     = "REGULAR"
  }
}

It fell apart when I realised that rules have multiple predicates, and the ACL has multiple rules .....how do you create that dynamically ?当我意识到规则有多个谓词并且 ACL 有多个规则时,它就崩溃了......你如何动态创建它? If anyone has any examples of doing something similar I'd be very grateful.如果有人有任何类似的例子,我将不胜感激。

1 个解决方案

解决方案1
 0  2020-01-07 04:11:31

Since the release of 0.12 you can now do this using dynamic blocks.自 0.12 发布以来,您现在可以使用动态块执行此操作。

No need to use count to iterate over your array.无需使用 count 来迭代您的数组。

resource "aws_waf_ipset" "ipset" {
  name = "youripset"

  dynamic "ip_set_descriptors" {
    iterator = ip
    for_each = var.cloud_allowed_cidr_list

    content {
      type  = "IPV4"
      value = ip.value
    }
  }
}

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用 terraform 的帐户中所有 ALB 的 WAF - WAF for all ALBs in an account using terraform 如何将现有的 AWS WAF ACL 导入 terraform? - How to import an existing AWS WAF ACL into terraform? Terraform WAF Web ACL资源没用吗? - Terraform WAF Web ACL Resource is useless? 使用 Terraform 动态创建多个 WAF 规则 - Dynamically create multiple WAF rules with Terraform 如何使用 Terraform 在一个 AWS WAF 规则中使用多个谓词(条件)? - How to Use Multiple Predicate ( Condition ) in one AWS WAF Rule with Terraform? 有什么方法可以使用 terraform 将 aws ELB/ALB 与 WAF ACL 相关联? - is there any way I associate aws ELB/ALB with WAF ACL using terraform? 如何使用Terraform自动化一次性AWS资源? - How to automate one-off AWS resources using Terraform? 通过jenkins Job使用Terraform在AWS中自动创建基础架构 - Automate creating infrastructure in AWS using Terraform through jenkins Job 我正在努力使用 terraform 部署我的 EKS 节点/节点组 - I'm struggling to deploy my EKS node/node-group using terraform 将 AWS WAF 与无服务器关联 WAF 结合使用 - Using AWS WAF with Serverless Associate WAF
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM