New WAF, instead of WAF Classic?

[monelgordillo]

Howdy any plans to update this to use the new AWS WAF, instead of AWS WAF Classic?

[exequielrafaela]

@monelgordillo please refer to https://github.com/binbashar/terraform-aws-waf-owasp/issues/5 which should probably answer your question.

Summarizing:

Currently this new WAF version it's not supported by the terraform-aws-provider they're WIP though muscle -> terraform-providers/terraform-provider-aws#11046

Considering the before mentioned we haven't decided yet if we'll integrate wafv2 to this module or directly develop a new one for this purpose after it gets supported by the terraform AWS provider.

We'll let you all know when having updates on this.

CC: @diego-ojeda-binbash

[monelgordillo]

ah I see. Thank you for the quick reply!

[monelgordillo]

I noticed wafv2: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl

[diego-ojeda-binbash]

@monelgordillo I'm afraid at the moment we don't have plans to update the module to support WAF v2 so I would rather point to you to this other module which does provide support for that => https://github.com/umotif-public/terraform-aws-waf-webaclv2

[exequielrafaela]

@monelgordillo Hey Monica, thanks for keeping in touch 🙂 , we appreciate your feedback and follow-up regarding this PR.

So considering your requirements I've take the chance to give you a sit in our Binbash Leverage Reference Architecture Team where you'll find some of our private repos (WIP to open source them) hosting our main https://leverage.binbash.com.ar project code and initiatives.

Probably the Leverage Reference Architecture Firewall Layer could be useful for your team since you'll find an AWS WAFv2 module implementation that can be taken as reference.

Hope you find this useful 🤝 ✅

Ref code example

#
# Create a WAF v2 for EKS' ALB
#
module "wafv2_regional_alb" {
  source = "github.com/binbashar/terraform-aws-waf-webaclv2.git?ref=1.5.1"

  name_prefix = "${var.environment}-wafv2-albs"
  scope       = "REGIONAL"

  # alb_arn     = module.alb.arn
  create_alb_association = false

  allow_default_action = true

  visibility_config = {
    cloudwatch_metrics_enabled = false
    metric_name                = "${var.environment}-wafv2-albs-main-metrics"
    sampled_requests_enabled   = true
  }

  rules = [
    {
      name     = "CommonRulesByAWS"
      priority = "1"

      override_action = "count"

      visibility_config = {
        cloudwatch_metrics_enabled = false
        metric_name                = "CommonRulesByAWSMetric"
        sampled_requests_enabled   = true
      }

      managed_rule_group_statement = {
        name        = "AWSManagedRulesCommonRuleSet"
        vendor_name = "AWS"
        excluded_rule = [
          "SizeRestrictions_BODY",
        ]
      }
    },
    {
      name     = "BadInputsRulesByAWS"
      priority = "2"

      override_action = "count"

      visibility_config = {
        cloudwatch_metrics_enabled = false
        metric_name                = "BadInputsRulesByAWSMetric"
        sampled_requests_enabled   = false
      }

      managed_rule_group_statement = {
        name        = "AWSManagedRulesKnownBadInputsRuleSet"
        vendor_name = "AWS"
      }
    },
    {
      name     = "SQLiRulesByAWS"
      priority = "2"

      override_action = "count"

      visibility_config = {
        cloudwatch_metrics_enabled = false
        metric_name                = "BadInputsRulesByAWSMetric"
        sampled_requests_enabled   = false
      }

      managed_rule_group_statement = {
        name        = "AWSManagedRulesSQLiRuleSet"
        vendor_name = "AWS"
      }
    }
  ]

  tags = local.tags
}

📒 p.s. In our landing https://www.binbash.com.ar/ you could also find our Public Slack Binbash Leverage Channel in case you want to directly contact us to shared ideas or get some of our community members support.

CC: @binbashar/leverage-ref-architecture-aws-dev