如何從 AWS WAF Terraform 資源 aws_wafv2_web_acl 中動態排除可變規則列表
[英]How to Exclude list of variablized rules dynamically from AWS WAF Terraform resource aws_wafv2_web_acl
問題描述
我正在嘗試使用具有多個規則的 Terraform 創建 AWS WEB-ACL,還想從 AWS Managed rulset 中排除多個規則。 但我無法動態排除來自變量的多個規則。 這是我的代碼。
變量.tfvars
# Region
region="us-east-1"
# Environment
environment="nonprod"
# ACLs Definations
acls = {
web: {
AWSManagedRuleSets: [
{
name: "AWSManagedRulesCommonRuleSet",
vendor_name: "AWS",
excluded_rule: [
"SizeRestrictions_QUERYSTRING",
"NoUserAgent_HEADER"
]
}
]
},
api: {
AWSManagedRuleSets: [
{
name: "AWSManagedRulesCommonRuleSet",
vendor_name: "AWS",
excluded_rule: [
"SizeRestrictions_QUERYSTRING",
"NoUserAgent_HEADER"
]
},
{
name: "AWSManagedRulesLinuxRuleSet",
vendor_name: "AWS",
excluded_rule: []
}
]
},
}
主程序
resource "aws_wafv2_web_acl" "web_acl" {
for_each = var.acls
name = "waf-web-acl-${lower(var.environment)}-${each.key}"
description = "WAF ACL ap-${each.key} for env ${lower(var.environment)}"
scope = "REGIONAL"
default_action {
allow {}
}
dynamic "rule" {
for_each = var.acls[each.key]["AWSManagedRuleSets"]
content {
name = rule.value.name
priority = 0
override_action {
count {}
}
statement {
managed_rule_group_statement {
name = rule.value.name
vendor_name = rule.value.vendor_name
// HERE I WANNA EXCLUDE ALL THE RULE LISTED IN VARIABLE
// excluded_rule = rule.value.excluded_rule
// excluded_rule {
// name = "SizeRestrictions_QUERYSTRING"
// }
// excluded_rule {
// name = "NoUserAgent_HEADER"
// }
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "waf-rule-${lower(var.environment)}-${each.key}-${rule.value.name}"
sampled_requests_enabled = true
}
}
}
tags = {
ManagedBy = "Terraform"
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "waf-web-acl-${lower(var.environment)}-${each.key}"
sampled_requests_enabled = true
}
}
1 個解決方案
解決方案1
2 已采納 2022-05-09 20:11:39
我無權訪問 AWS,但我認為可以使用如下所示的嵌套block 。
dynamic "rule" {
for_each = var.acls[each.key]["AWSManagedRuleSets"]
content {
name = rule.value.name
priority = 0
override_action {
count {}
}
statement {
managed_rule_group_statement {
name = rule.value.name
vendor_name = rule.value.vendor_name
}
// another for_each loop to iterate over excluded_rule list
dynamic "excluded_rule" {
for_each = rule.value.excluded_rule
content {
name = excluded_rule.value
}
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "waf-rule-${lower(var.environment)}-${each.key}-${rule.value.name}"
sampled_requests_enabled = true
}
}
}
AWS - 防火牆管理器 - WAF 規則如何阻止來自 IP 地址(無主機名)的請求?
[英]AWS - Firewall Manager - WAF Rules How to block requests from IP address (No Host name)?
Terraform:成功創建資源(aws_security_group),但它采用來自所有給定安全組的入口/出口規則
[英]Terraform: create resource(aws_security_group) successfully but it takes ingress/egress rules from all given security groups
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.
相關問題
如何從 AWS Config 中排除單個資源
AWS - 防火牆管理器 - WAF 規則如何阻止來自 IP 地址(無主機名)的請求?
Terraform aws_wafv2_ip_set 刪除 ip 申請
如何從 AWS WAF v1 升級到 WAF V2
Terraform 上的 AWS - 如何避免“強制使用新資源”
如何從 AWS WAF 解鎖特定的 IP 地址
Terraform aws 物聯網站點資源
如何使用 AWS WAF 來阻止某些 URL
Terraform:成功創建資源(aws_security_group),但它采用來自所有給定安全組的入口/出口規則
使用 Terraform 創建 AWS 資源組
相關標簽