Closed pradeepjairamani1 closed 2 years ago
Files identified in the description: None
If these files are inaccurate, please update the component name
section of the description or use the !component
bot command.
Files identified in the description:
plugins/modules/wafv2_web_acl.py
](https://github.com/['ansible-collections/amazon.aws', 'ansible-collections/community.aws', 'ansible-collections/community.vmware']/blob/main/plugins/modules/wafv2_web_acl.py)If these files are inaccurate, please update the component name
section of the description or use the !component
bot command.
cc @jillr @markuman @s-hertel @tremble click here for bot help
Yes, that's possible - more or less.
First, it must be solved using ansible. There is no aws/boto3/something that helps you here.
This is how we do this.
Defaults vars dictionary, where every key represents a re-usable rule - but without priority parameter.
The priority must be autogenerate. otherwise you endet up with duplicated priorities or wrong ordered rule sets.
roles/wafv2/defaults/main.yml
WAFv2_module:
ip_protect:
name: ip_protect
override_action:
none: {}
visibility_config:
sampled_requests_enabled: yes
cloud_watch_metrics_enabled: yes
metric_name: ip_protect
statement:
managed_rule_group_statement:
vendor_name: AWS
name: AWSManagedRulesAmazonIpReputationList
wordpress_protect:
name: wordpress-protect
override_action:
none: {}
visibility_config:
sampled_requests_enabled: yes
cloud_watch_metrics_enabled: yes
metric_name: wordpress-protect
statement:
managed_rule_group_statement:
vendor_name: AWS
name: AWSManagedRulesWordPressRuleSet
ip_protect_without_hosting_providers:
name: AWS-AWSManagedRulesAnonymousIpList
override_action:
none: {}
visibility_config:
sampled_requests_enabled: yes
cloud_watch_metrics_enabled: yes
metric_name: AWS-AWSManagedRulesAnonymousIpList
statement:
managed_rule_group_statement:
vendor_name: AWS
name: AWSManagedRulesAnonymousIpList
excluded_rules:
- name: HostingProviderIPList
In every single waf, you can concatenate a list of rules that you pick from defaults/main.yml
.
The order (priority) is given by the order of the array/list itself.
roles/wafv2/tasks/wordpress.yml
- name: wordpress waf
tags:
- waf
- wordpress_waf
block:
- name: build wordpress waf rules
set_fact:
wordpress_alb_waf_rules:
- "{{ WAFv2_module.ip_protect_without_hosting_providers }}"
- "{{ WAFv2_module.wordpress_protect }}"
- name: wordpress web acl
community.aws.wafv2_web_acl:
name: wordpress_waf
state: present
description: public wordpress waf
scope: REGIONAL
default_action: Allow
sampled_requests: yes
cloudwatch_metrics: yes
### here we apply the filter to add the missing priority parameter
rules: "{{ wordpress_alb_waf_rules | add_int_priority }}"
and the filter itself. Maybe it's also possible so achieve this without writing some lines of python.
filter_plugins/priority_filtert.py
#!/usr/bin/python
class FilterModule(object):
def filters(self):
return {
'add_int_priority': self.add_int_priority
}
def add_int_priority(self, input):
retval = list()
counter = 1
for item in input:
item['priority'] = int(counter)
counter += 1
retval.append(item)
return retval
Another way I can think of if you merge just the exclude parameter into it
exclude_hosting_provider:
statement:
managed_rule_group_statement:
excluded_rules:
- name: HostingProviderIPList
And then something like*
rules:
- "{{ WAFv2_module.ip_protect | combine(exclude_hosting_provider, list_merge='append') }}"
I was thinking of going with Option A, looks like option B will be a bit confusing Thanks for the help
Summary
Hello,
my ruleset information is stored at
role/defaults/main.yml
and I want to use the rulesets in multiple WebACL's but there are different rules I want to exclude for each WebACL, is there a way I can exclude the rules directly from/tasks/main.yaml
?/tasks/main.yaml
role/defaults/main.yml
Issue Type
Documentation Report
Component Name
wafv2_web_acl
Ansible Version
bash-3.2$ ansible --version ansible [core 2.11.0] config file = None configured module search path = ['/Users/pradeep/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules'] ansible python module location = /usr/local/Cellar/ansible/4.0.0/libexec/lib/python3.9/site-packages/ansible ansible collection location = /Users/pradeep/.ansible/collections:/usr/share/ansible/collections executable location = /usr/local/bin/ansible python version = 3.9.5 (default, May 4 2021, 03:36:27) [Clang 12.0.0 (clang-1200.0.32.29)] jinja version = 3.0.1 libyaml = True
Collection Versions
Configuration
OS / Environment
No response
Additional Information
No response
Code of Conduct