From a0e75ec2b8739c3d76d7c6498e1a915d64f813fc Mon Sep 17 00:00:00 2001 From: olamide Date: Tue, 12 Mar 2024 12:17:34 +0100 Subject: [PATCH 1/2] Add input variable for rate limit evaluation seconds --- aws/waf/main.tf | 5 +++-- aws/waf/variables.tf | 13 +++++++------ 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/aws/waf/main.tf b/aws/waf/main.tf index 2ac955c6..33cb7292 100644 --- a/aws/waf/main.tf +++ b/aws/waf/main.tf @@ -33,8 +33,9 @@ resource "aws_wafv2_web_acl" "main" { } statement { rate_based_statement { - limit = rule.value["limit"] - aggregate_key_type = "IP" + limit = rule.value["limit"] + aggregate_key_type = "IP" + evaluation_window_sec = rule.value["evaluation_window_sec"] dynamic "scope_down_statement" { for_each = length(concat(rule.value["country_list"], rule.value["exempt_country_list"])) > 0 ? [1] : [] diff --git a/aws/waf/variables.tf b/aws/waf/variables.tf index aafc5924..bc06a447 100644 --- a/aws/waf/variables.tf +++ b/aws/waf/variables.tf @@ -34,12 +34,13 @@ variable "aws_managed_rule_groups" { variable "rate_limit_rules" { description = "Rule statement to track and rate limits requests when they are coming at too fast a rate.. For more details, visit - https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html" type = map(object({ - name = string # Name of the Rate limit rule group - priority = number # Relative processing order for rate limit rule relative to other rules processed by AWS WAF. - limit = optional(number, 2000) # This is the limit on requests from any single IP address within a 5 minute period - count_override = optional(bool, false) # If true, this will override the rule action setting to `count`, if false, the rule action will be set to `block`. Default value is false. - country_list = optional(list(string), []) # List of countries to apply the rate limit to. If populated, from other countries will be ignored by this rule. IF empty, the rule will apply to all traffic. You must either specify country_list or exempt_country_list, but not both. - exempt_country_list = optional(list(string), []) # List of countries to exempt from the rate limit. If populated, the selected countries will be ignored by this rule. IF empty, the rule will apply to all traffic. You must either specify country_list or exempt_country_list, but not both. + name = string # Name of the Rate limit rule group + priority = number # Relative processing order for rate limit rule relative to other rules processed by AWS WAF. + limit = optional(number, 2000) # This is the limit on requests from any single IP address within a 5 minute period + count_override = optional(bool, false) # If true, this will override the rule action setting to `count`, if false, the rule action will be set to `block`. Default value is false. + country_list = optional(list(string), []) # List of countries to apply the rate limit to. If populated, from other countries will be ignored by this rule. IF empty, the rule will apply to all traffic. You must either specify country_list or exempt_country_list, but not both. + exempt_country_list = optional(list(string), []) # List of countries to exempt from the rate limit. If populated, the selected countries will be ignored by this rule. IF empty, the rule will apply to all traffic. You must either specify country_list or exempt_country_list, but not both. + evaluation_window_sec = optional(number, 300) # The amount of time, in seconds, that AWS WAF should include in its request counts, looking back from the current time. Defaults to 300 seconds. Valid values are 60, 120, 300, and 600. })) } From 6b848d3b17c20aeb8ca25ca1469aa996aee26c95 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Tue, 12 Mar 2024 11:18:20 +0000 Subject: [PATCH 2/2] terraform-docs: automated action --- aws/waf/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aws/waf/README.md b/aws/waf/README.md index b57d386b..9cbdd282 100644 --- a/aws/waf/README.md +++ b/aws/waf/README.md @@ -83,7 +83,7 @@ Note: For each rule, if you are providing a country list, you can only specify e | [aws\_managed\_rule\_groups](#input\_aws\_managed\_rule\_groups) | Rule statement values used to run the rules that are defined in a managed rule group. You may review this list for the available AWS managed rule groups - https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html | 
map(object({
    name                = string                     # Name of the Managed rule group
    priority            = number                     # Relative processing order for rules processed by AWS WAF. All rules are processed from lowest priority to the highest.
    count_override      = optional(bool, true)       # If true, this will override the rule action setting to `count`, if false, the rule action will be set to `block`.
    country_list        = optional(list(string), []) # List of countries to apply the managed rule to. If populated, from other countries will be ignored by this rule. IF empty, the rule will apply to all traffic. You must either specify country_list or exempt_country_list, but not both.
    exempt_country_list = optional(list(string), []) # List of countries to exempt from the managed rule. If populated, the selected countries will be ignored by this rule. IF empty, the rule will apply to all traffic. You must either specify country_list or exempt_country_list, but not both.
  }))
| n/a | yes | | [block\_ip\_list](#input\_block\_ip\_list) | List of IP addresses to be blocked and denied access to the ingress / cloudfront. | `list(string)` | `[]` | no | | [name](#input\_name) | Friendly name of the WebACL. | `string` | n/a | yes | -| [rate\_limit\_rules](#input\_rate\_limit\_rules) | Rule statement to track and rate limits requests when they are coming at too fast a rate.. For more details, visit - https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html | 
map(object({
    name                = string                     # Name of the Rate limit rule group
    priority            = number                     # Relative processing order for rate limit rule relative to other rules processed by AWS WAF.
    limit               = optional(number, 2000)     # This is the limit on requests from any single IP address within a 5 minute period
    count_override      = optional(bool, false)      # If true, this will override the rule action setting to `count`, if false, the rule action will be set to `block`. Default value is false.
    country_list        = optional(list(string), []) # List of countries to apply the rate limit to. If populated, from other countries will be ignored by this rule. IF empty, the rule will apply to all traffic. You must either specify country_list or exempt_country_list, but not both.
    exempt_country_list = optional(list(string), []) # List of countries to exempt from the rate limit. If populated, the selected countries will be ignored by this rule. IF empty, the rule will apply to all traffic. You must either specify country_list or exempt_country_list, but not both.
  }))
| n/a | yes | +| [rate\_limit\_rules](#input\_rate\_limit\_rules) | Rule statement to track and rate limits requests when they are coming at too fast a rate.. For more details, visit - https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html | 
map(object({
    name                  = string                     # Name of the Rate limit rule group
    priority              = number                     # Relative processing order for rate limit rule relative to other rules processed by AWS WAF.
    limit                 = optional(number, 2000)     # This is the limit on requests from any single IP address within a 5 minute period
    count_override        = optional(bool, false)      # If true, this will override the rule action setting to `count`, if false, the rule action will be set to `block`. Default value is false.
    country_list          = optional(list(string), []) # List of countries to apply the rate limit to. If populated, from other countries will be ignored by this rule. IF empty, the rule will apply to all traffic. You must either specify country_list or exempt_country_list, but not both.
    exempt_country_list   = optional(list(string), []) # List of countries to exempt from the rate limit. If populated, the selected countries will be ignored by this rule. IF empty, the rule will apply to all traffic. You must either specify country_list or exempt_country_list, but not both.
    evaluation_window_sec = optional(number, 300)      # The amount of time, in seconds, that AWS WAF should include in its request counts, looking back from the current time. Defaults to 300 seconds. Valid values are 60, 120, 300, and 600.
  }))
| n/a | yes | | [resource\_arn](#input\_resource\_arn) | The Amazon Resource Name (ARN) of the resource to associate with the web ACL. This must be an ARN of an Application Load Balancer or an Amazon API Gateway stage. Value is required if scope is REGIONAL | `string` | `null` | no | | [waf\_scope](#input\_waf\_scope) | Specifies whether this is for an AWS CloudFront distribution or for a regional application. Valid values are CLOUDFRONT or REGIONAL. | `string` | `"REGIONAL"` | no |