search

ansible-collections / community.aws

Ansible Collection for Community AWS
GNU General Public License v3.0
188 stars 397 forks source link

Exclude rules configuration through tasks/main.yaml #947

Closed pradeepjairamani1 closed 2 years ago

pradeepjairamani1 commented 2 years ago

Summary

Hello,

my ruleset information is stored at role/defaults/main.yml and I want to use the rulesets in multiple WebACL's but there are different rules I want to exclude for each WebACL, is there a way I can exclude the rules directly from /tasks/main.yaml ?

/tasks/main.yaml

    rules:
    - "{{ WAFv2_module.ip_reputation_ruleset }}"

role/defaults/main.yml

anonymous_ip_ruleset:
    name: AWS-AWSManagedRulesAnonymousIpList
    priority: 1
    override_action:
      none: {}
    visibility_config:
      sampled_requests_enabled: yes
      cloud_watch_metrics_enabled: yes
      metric_name: AWS-AWSManagedRulesAnonymousIpList
    statement:
      managed_rule_group_statement:
        vendor_name: AWS
        name: AWSManagedRulesAnonymousIpList
        excluded_rules:
         -  name: HostingProviderIPList

Issue Type

Documentation Report

Component Name

wafv2_web_acl

Ansible Version

$ ansible --version

bash-3.2$ ansible --version ansible [core 2.11.0] config file = None configured module search path = ['/Users/pradeep/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules'] ansible python module location = /usr/local/Cellar/ansible/4.0.0/libexec/lib/python3.9/site-packages/ansible ansible collection location = /Users/pradeep/.ansible/collections:/usr/share/ansible/collections executable location = /usr/local/bin/ansible python version = 3.9.5 (default, May 4 2021, 03:36:27) [Clang 12.0.0 (clang-1200.0.32.29)] jinja version = 3.0.1 libyaml = True

Collection Versions

$ ansible-galaxy collection list

Configuration

$ ansible-config dump --only-changed

OS / Environment

No response

Additional Information

No response

Code of Conduct

ansibullbot commented 2 years ago

Files identified in the description: None

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

ansibullbot commented 2 years ago

Files identified in the description:

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

ansibullbot commented 2 years ago

cc @jillr @markuman @s-hertel @tremble click here for bot help

markuman commented 2 years ago

Yes, that's possible - more or less.
First, it must be solved using ansible. There is no aws/boto3/something that helps you here.

Option A

This is how we do this.

Defaults vars dictionary, where every key represents a re-usable rule - but without priority parameter.
The priority must be autogenerate. otherwise you endet up with duplicated priorities or wrong ordered rule sets.

roles/wafv2/defaults/main.yml 

WAFv2_module:
  ip_protect:
    name: ip_protect
    override_action:
      none: {}
    visibility_config:
      sampled_requests_enabled: yes
      cloud_watch_metrics_enabled: yes
      metric_name: ip_protect
    statement:
      managed_rule_group_statement:
        vendor_name: AWS
        name: AWSManagedRulesAmazonIpReputationList
  wordpress_protect:
    name: wordpress-protect
    override_action:
      none: {}
    visibility_config:
      sampled_requests_enabled: yes
      cloud_watch_metrics_enabled: yes
      metric_name: wordpress-protect
    statement:
      managed_rule_group_statement:
        vendor_name: AWS
        name: AWSManagedRulesWordPressRuleSet
  ip_protect_without_hosting_providers:
    name: AWS-AWSManagedRulesAnonymousIpList
    override_action:
      none: {}
    visibility_config:
      sampled_requests_enabled: yes
      cloud_watch_metrics_enabled: yes
      metric_name: AWS-AWSManagedRulesAnonymousIpList
    statement:
      managed_rule_group_statement:
        vendor_name: AWS
        name: AWSManagedRulesAnonymousIpList
        excluded_rules:
        -  name: HostingProviderIPList

In every single waf, you can concatenate a list of rules that you pick from defaults/main.yml.
The order (priority) is given by the order of the array/list itself.

roles/wafv2/tasks/wordpress.yml

- name: wordpress waf
  tags:
    - waf
    - wordpress_waf
  block:
    - name: build wordpress waf rules
      set_fact:
        wordpress_alb_waf_rules:
          - "{{ WAFv2_module.ip_protect_without_hosting_providers }}"
          - "{{ WAFv2_module.wordpress_protect }}"

    - name: wordpress web acl
      community.aws.wafv2_web_acl:
        name: wordpress_waf
        state: present
        description: public wordpress waf
        scope: REGIONAL
        default_action: Allow
        sampled_requests: yes
        cloudwatch_metrics: yes
        ### here we apply the filter to add the missing priority parameter
        rules: "{{ wordpress_alb_waf_rules | add_int_priority }}"

and the filter itself. Maybe it's also possible so achieve this without writing some lines of python.

filter_plugins/priority_filtert.py 

#!/usr/bin/python
class FilterModule(object):
    def filters(self):
        return {

            'add_int_priority': self.add_int_priority
        }

    def add_int_priority(self, input):
        retval = list()
        counter = 1
        for item in input:
            item['priority'] = int(counter)
            counter += 1
            retval.append(item)
        return retval

Option B

Another way I can think of if you merge just the exclude parameter into it

exclude_hosting_provider:
  statement:
      managed_rule_group_statement:
        excluded_rules:
          -  name: HostingProviderIPList

And then something like* 

rules:
  - "{{ WAFv2_module.ip_protect | combine(exclude_hosting_provider, list_merge='append') }}"
pradeepjairamani1 commented 2 years ago

I was thinking of going with Option A, looks like option B will be a bit confusing Thanks for the help