Closed monelgordillo closed 4 years ago
@monelgordillo please refer to https://github.com/binbashar/terraform-aws-waf-owasp/issues/5 which should probably answer your question.
Summarizing:
Currently this new WAF version it's not supported by the terraform-aws-provider they're WIP though muscle -> terraform-providers/terraform-provider-aws#11046
Considering the before mentioned we haven't decided yet if we'll integrate wafv2
to this module or directly develop a new one for this purpose after it gets supported by the terraform AWS provider.
We'll let you all know when having updates on this.
CC: @diego-ojeda-binbash
ah I see. Thank you for the quick reply!
@monelgordillo I'm afraid at the moment we don't have plans to update the module to support WAF v2 so I would rather point to you to this other module which does provide support for that => https://github.com/umotif-public/terraform-aws-waf-webaclv2
@monelgordillo Hey Monica, thanks for keeping in touch 🙂 , we appreciate your feedback and follow-up regarding this PR.
So considering your requirements I've take the chance to give you a sit in our Binbash Leverage Reference Architecture Team where you'll find some of our private repos (WIP to open source them) hosting our main https://leverage.binbash.com.ar project code and initiatives.
Probably the Leverage Reference Architecture Firewall Layer could be useful for your team since you'll find an AWS WAFv2 module implementation that can be taken as reference.
Hope you find this useful 🤝 ✅
#
# Create a WAF v2 for EKS' ALB
#
module "wafv2_regional_alb" {
source = "github.com/binbashar/terraform-aws-waf-webaclv2.git?ref=1.5.1"
name_prefix = "${var.environment}-wafv2-albs"
scope = "REGIONAL"
# alb_arn = module.alb.arn
create_alb_association = false
allow_default_action = true
visibility_config = {
cloudwatch_metrics_enabled = false
metric_name = "${var.environment}-wafv2-albs-main-metrics"
sampled_requests_enabled = true
}
rules = [
{
name = "CommonRulesByAWS"
priority = "1"
override_action = "count"
visibility_config = {
cloudwatch_metrics_enabled = false
metric_name = "CommonRulesByAWSMetric"
sampled_requests_enabled = true
}
managed_rule_group_statement = {
name = "AWSManagedRulesCommonRuleSet"
vendor_name = "AWS"
excluded_rule = [
"SizeRestrictions_BODY",
]
}
},
{
name = "BadInputsRulesByAWS"
priority = "2"
override_action = "count"
visibility_config = {
cloudwatch_metrics_enabled = false
metric_name = "BadInputsRulesByAWSMetric"
sampled_requests_enabled = false
}
managed_rule_group_statement = {
name = "AWSManagedRulesKnownBadInputsRuleSet"
vendor_name = "AWS"
}
},
{
name = "SQLiRulesByAWS"
priority = "2"
override_action = "count"
visibility_config = {
cloudwatch_metrics_enabled = false
metric_name = "BadInputsRulesByAWSMetric"
sampled_requests_enabled = false
}
managed_rule_group_statement = {
name = "AWSManagedRulesSQLiRuleSet"
vendor_name = "AWS"
}
}
]
tags = local.tags
}
📒 p.s. In our landing https://www.binbash.com.ar/ you could also find our Public Slack Binbash Leverage Channel in case you want to directly contact us to shared ideas or get some of our community members support.
CC: @binbashar/leverage-ref-architecture-aws-dev
Howdy any plans to update this to use the new AWS WAF, instead of AWS WAF Classic?