堆栈内存溢出
  简体   繁体   English

将 Terraform 与 AWS 一起使用时,如何在 ALB 上对特定 URI 路径(或 URI 路径的正则表达式)设置速率限制

[英]When using Terraform with AWS, how can I set a rate limit on a specific URI path (or regex of a URI path) on an ALB

 原文  2020-12-11 13:55:39       amazon-web-services/ terraform/ amazon-waf

问题描述

I am trying to rate limit requests to the forgot password change URL using WAFv2 rules attached to an ALB on Cloudfront.我正在尝试使用附加到 Cloudfront 上的 ALB 的 WAFv2 规则对忘记密码更改 URL 的限制请求进行评级。

What I think I need to do is..我认为我需要做的是..

Create two resources aws_wafv2_web_acl.afv2_rate_limit and another called aws_wafv2_regex_pattern_set.wafv2_password_url创建两个资源 aws_wafv2_web_acl.afv2_rate_limit 和另一个名为 aws_wafv2_regex_pattern_set.wafv2_password_url

Example of rate: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl费率示例: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl

Example of regex: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_regex_pattern_set正则表达式示例: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_regex_pattern_set

Combine these into a rule group, call it aws_wafv2_rule_group.wafv2_rule_group_pw_rate_group将这些组合成一个规则组,称之为 aws_wafv2_rule_group.wafv2_rule_group_pw_rate_group

Example of group: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_rule组示例: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_rule

I've created the rate limit and the regex, but I am failing to create the rule group.我已经创建了速率限制和正则表达式,但我无法创建规则组。 I put this rule in to refer to the rate limit我把这个规则放在参考速率限制

    rule {
        name = "rate_limit"
        priority = 1
        action {
            block {}
        }
        statement {
            and_statement {
                statement {
                    rule_group_reference_statement {  # !!FIXME!! doesn't work
                        arn = aws_wafv2_web_acl.wafv2_rate_limit.arn
                    }
                }
           }
        }
        visibility_config {
            cloudwatch_metrics_enabled = false
            metric_name                = "password_url"
            sampled_requests_enabled   = false
        }
    }

I get the error on the rule_group_reference_statement line:我在 rule_group_reference_statement 行收到错误:

Blocks of type "rule_group_reference_statement" are not expected here.

I can attach the rule group to the ALB.我可以将规则组附加到 ALB。

of course, the first question is whether this is even the right way to go about it?!当然,第一个问题是这是否是go的正确方式呢?!

thanks for any thoughts.感谢您的任何想法。

3 个解决方案

解决方案1
 0  2020-12-11 15:50:47

You can't nest a rule_group_reference_statement, for example for use inside a and_statement, not_statement or or_statement.不能嵌套 rule_group_reference_statement,例如在 and_statement、not_statement 或 or_statement 中使用。 It can only be referenced as a top-level statement within a rule.它只能作为规则中的顶级语句引用。

解决方案2
 0  2020-12-14 10:38:17

working!在职的!

resource "aws_wafv2_web_acl" "wafv2_alb_pw5pm_acl" {
    name        = "wafv2_alb_pw5pm-acl"
    description = "prevent brute forcing password setting or changing"
    scope       = "REGIONAL"       # if using this, no need to set provider

    default_action {
        allow {}    # pass traffic until the rules trigger a block
    }

    rule {
        name     = "rate_limit_pw5pm"
        priority = 1

        action {
            block {}
        }
        statement {
            rate_based_statement {
                #limit              = 300    # 5 per sec = 300 per min
                limit              = 100     # smallest value for testing
                aggregate_key_type = "IP"

                scope_down_statement {
                    regex_pattern_set_reference_statement {
                        arn = aws_wafv2_regex_pattern_set.wafv2_password_uri.arn
                        text_transformation {
                            priority = 1
                            type     = "NONE"
                        }
                        field_to_match {
                            uri_path {}
                        }
                    }
                }
            }

        }
        visibility_config {
            cloudwatch_metrics_enabled = true
            metric_name                = "wafv2_alb_pw5pm_acl_rule_vis"
            sampled_requests_enabled   = false
        }
    }

    visibility_config {
        cloudwatch_metrics_enabled = true
        metric_name                = "wafv2_alb_pw5pm_acl_vis"
        sampled_requests_enabled   = false
    }

    tags = {
        managedby   = "terraform"
    }
}


resource "aws_wafv2_web_acl_association" "web_acl_association_my_lb" {
    resource_arn = aws_lb.xxxxxx.arn
    web_acl_arn  = aws_wafv2_web_acl.wafv2_alb_pw5pm_acl.arn
}

解决方案3
 0  

yes you can.是的你可以。 basically you need to declare an aws_wafv2_regex_pattern_set , in this example I use the URI "/api/*" but it can be a fixed one too.基本上你需要声明一个aws_wafv2_regex_pattern_set ,在这个例子中我使用 URI "/api/*" 但它也可以是一个固定的。

resource "aws_wafv2_regex_pattern_set" "regex_pattern_api" {
  name  = "regex-path-api"
  scope = "REGIONAL"

  regular_expression {
    regex_string = "/api/.+"
  }
}

and the here is an example on how to use it on a waf declaration:这是一个关于如何在 waf 声明中使用它的示例:

resource "aws_wafv2_web_acl" "waf" {
  name  = "waf"
  scope = "REGIONAL"

  default_action {
    allow {}
  }

  rule {
    name     = "RateLimit"
    priority = 1

    action {
      block {}
    }

    statement {

      rate_based_statement {
        aggregate_key_type = "IP"
        limit              = 100

        scope_down_statement {
          regex_pattern_set_reference_statement {
            arn = aws_wafv2_regex_pattern_set.regex_pattern_api.arn

            field_to_match {
              uri_path {}
            }
            text_transformation {
              priority = 1
              type     = "NONE"
            }
          }
        }
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "RateLimit"
      sampled_requests_enabled   = true
    }
  }

  visibility_config {
    cloudwatch_metrics_enabled = false
    metric_name                = "waf"
    sampled_requests_enabled   = false
  }
}

The cool part of this is that it is a rate limit that narrows the filter based on client IP using scope_down_statement这个很酷的部分是它是一个速率限制,使用scope_down_statement缩小基于客户端 IP 的过滤器

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何使用 java 使用正则表达式从 aws s3 虚拟路径 uri 中提取区域信息? - How to extract region information from aws s3 virtual path uri using regex using java? Terraform AWS ALB 监听器规则路径 - Terraform AWS ALB listener rule path AWS WAFV2:允许访问特定 URI 路径的 ACL 规则 - AWS WAFV2: ACL Rule for allowing access to specific URI Path 如何在AWS Lambda函数中从AWS API Gateway URI访问请求和路径变量 - How do I get access to the request and path variables from AWS API Gateway URI in an AWS Lambda function 使用主机和路径条件对aws_alb_listener_rule进行Terraform - Terraform aws_alb_listener_rule with host AND path conditions 当我更改路径时,基于 AWS ALB 目标组路径的路由不起作用 - AWS ALB target group path based routing not working when I change the path 如何使用 kubernetes_ingress terraform 资源创建 AWS ALB? - How to create AWS ALB using kubernetes_ingress terraform resource? 如何在 terraform 中为 AWS apigateway version2 创建路由路径? - How can I create route path in terraform for AWS apigateway version2? 如何使用 Python 中的 AWS CDK 创建具有动态 URI 的 API 网关端点? - How can I create an API Gateway end point with a dynamic URI using the AWS CDK in Python? 我如何使用 aws CLI 获取我的 ECR 图像的 URI - How can i get the URI of my ECR image using aws CLI
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM