Closed 80kk closed 3 years ago
Hello @80kk I think it might be that you need to provide an ARN to the ip_set_reference statement. It looks like you might be passing just the ip_set object and not the ARN. Please have a look at my code below that is working.
My working code looks like (note the way that I'm referring to the ARN for the IP set):
resource "aws_wafv2_ip_set" "custom_ip_set" {
name = "sean-test-custom-ip-set"
scope = "REGIONAL"
ip_address_version = "IPV4"
addresses = [
"192.168.1.1/32",
"127.0.0.1"
]
}
module "waf" {
source = "git@github.com:umotif-public/terraform-aws-waf-webaclv2.git?ref=3.1.0"
enabled = true
name_prefix = local.name_prefix
create_alb_association = false
scope = "REGIONAL"
allow_default_action = false
visibility_config = {
metric_name = "${local.name_prefix}-wafv2-metrics"
}
rules = [
{
name = "allow-statuscake"
priority = "70"
action = "block"
not_statement = {
ip_set_reference_statement = {
arn = aws_wafv2_ip_set.custom_ip_set.arn
}
}
visibility_config = {
cloudwatch_metrics_enabled = false
metric_name = "test-waf-setup-waf-ip-set-block-metrics"
sampled_requests_enabled = false
}
}
]
]
Thanks and please let us know if you continue to run into any issues after making that change.
Hello @80kk I think it might be that you need to provide an ARN to the ip_set_reference statement. It looks like you might be passing just the ip_set object and not the ARN. Please have a look at my code below that is working.
This is exactly what I am doing:
module.waf.whitelisted_ip_set
is an output from: aws_wafv2_ip_set.blacklisted_ip_set.arn
:
output "blacklisted_ip_set" {
value = aws_wafv2_ip_set.blacklisted_ip_set.arn
}
output "whitelisted_ip_set" {
value = aws_wafv2_ip_set.whitelisted_ip_set.arn
}
and it works fine for:
{
name = "whitelisted-ip-set"
priority = "60"
action = "allow"
ip_set_reference_statement = {
arn = module.waf.whitelisted_ip_set
}
visibility_config = {
cloudwatch_metrics_enabled = false
sampled_requests_enabled = true
}
},
{
name = "blacklisted-ip-set"
priority = "50"
action = "block"
ip_set_reference_statement = {
arn = module.waf.blacklisted_ip_set
}
visibility_config = {
cloudwatch_metrics_enabled = false
metric_name = join("", [var.tags.name, "-ip-set-block-metrics"])
sampled_requests_enabled = true
}
},
but not for:
{
name = "Allow-only-from"
priority = 70
action = "block"
not_statement = {
ip_set_reference_statement = {
arn = module.waf.whitelisted_ip_set
}
}
visibility_config = {
cloudwatch_metrics_enabled = false
metric_name = join("", [var.tags.name, "-allow-only-from"])
sampled_requests_enabled = false
}
}
]
Hi @80kk would you be able to send through the whole module block please (with any sensitive info redacted)? The rules you posted last work ok on my side, so it's possible there's something else missing.
Also may I confirm what version of terraform and aws_provider you're using please?
Thanks
Terraform v0.13.7
+ provider registry.terraform.io/hashicorp/aws v3.47.0
but 0.12.x is doing the same.
module waf {
source = "../../modules/global/WAFv2"
name_prefix = "WAFv2"
allow_default_action = true
region = var.region
aws_account_id = var.aws_account_id
log_destination_configs = [module.waf.aws_kinesis_firehose_delivery_stream]
firehose_stream_bucket_name = var.firehose_stream_bucket_name
redacted_fields = [
{
single_header = {
name = "user-agent"
}
}
]
logging_filter = {
default_behavior = "DROP"
filter = [
{
behavior = "KEEP"
requirement = "MEETS_ANY"
condition = [
{
action_condition = {
action = "ALLOW"
}
},
]
},
{
behavior = "KEEP"
requirement = "MEETS_ALL"
condition = [
{
action_condition = {
action = "COUNT"
}
}
]
}
]
}
visibility_config = {
cloudwatch_metrics_enabled = false
metric_name = "WAFv2-main-metrics"
sampled_requests_enabled = true
}
rules = [
{
name = "AWSManagedRulesCommonRuleSet-rule-1"
priority = "10"
override_action = "none"
visibility_config = {
cloudwatch_metrics_enabled = false
metric_name = "AWSManagedRulesCommonRuleSet-metric"
sampled_requests_enabled = true
}
managed_rule_group_statement = {
name = "AWSManagedRulesCommonRuleSet"
vendor_name = "AWS"
excluded_rule = [
"GenericRFI_QUERYARGUMENTS"
]
}
},
{
name = "AWSManagedRulesKnownBadInputsRuleSet-rule-2"
priority = "15"
override_action = "none"
visibility_config = {
cloudwatch_metrics_enabled = false
metric_name = "AWSManagedRulesKnownBadInputsRuleSet-metric"
sampled_requests_enabled = true
}
managed_rule_group_statement = {
name = "AWSManagedRulesKnownBadInputsRuleSet"
vendor_name = "AWS"
}
},
{
name = "AWSManagedRulesSQLiRuleSet-rule-3"
priority = "5"
override_action = "none"
visibility_config = {
cloudwatch_metrics_enabled = false
metric_name = "AWSManagedRulesSQLiRuleSet-metric"
sampled_requests_enabled = true
}
managed_rule_group_statement = {
name = "AWSManagedRulesSQLiRuleSet"
vendor_name = "AWS"
}
},
{
name = "AWSManagedRulesLinuxRuleSet-rule-4"
priority = "20"
override_action = "none"
visibility_config = {
cloudwatch_metrics_enabled = false
metric_name = "AWSManagedRulesLinuxRuleSet-metric"
sampled_requests_enabled = true
}
managed_rule_group_statement = {
name = "AWSManagedRulesLinuxRuleSet"
vendor_name = "AWS"
}
},
{
name = "AWSManagedRulesAmazonIpReputationList-rule-5"
priority = "25"
override_action = "none"
visibility_config = {
cloudwatch_metrics_enabled = false
metric_name = "AWSManagedRulesAmazonIpReputationList-metric"
sampled_requests_enabled = true
}
managed_rule_group_statement = {
name = "AWSManagedRulesAmazonIpReputationList"
vendor_name = "AWS"
}
},
{
name = "AWSManagedRulesBotControlRuleSet-rule-5"
priority = "30"
override_action = "none"
visibility_config = {
cloudwatch_metrics_enabled = false
metric_name = "AWSManagedRulesBotControlRuleSet-metric"
sampled_requests_enabled = true
}
managed_rule_group_statement = {
name = "AWSManagedRulesBotControlRuleSet"
vendor_name = "AWS"
excluded_rule = [
"CategoryHttpLibrary",
"SignalNonBrowserUserAgent"
]
}
},
{
name = "ip-rate-limit"
priority = "35"
action = "count"
rate_based_statement = {
limit = "500"
aggregate_key_type = "IP"
}
visibility_config = {
cloudwatch_metrics_enabled = false
sampled_requests_enabled = true
}
},
{
name = "block_country_codes"
priority = "40"
action = "block"
geo_match_statement = {
country_codes = ["KP"]
}
visibility_config = {
cloudwatch_metrics_enabled = false
metric_name = "block_country_codes-metric"
sampled_requests_enabled = true
}
},
{
name = "whitelisted-ip-set"
priority = "60"
action = "allow"
ip_set_reference_statement = {
arn = module.waf.whitelisted_ip_set
}
visibility_config = {
cloudwatch_metrics_enabled = false
sampled_requests_enabled = true
}
},
{
name = "blacklisted-ip-set"
priority = "50"
action = "block"
ip_set_reference_statement = {
arn = module.waf.blacklisted_ip_set
}
visibility_config = {
cloudwatch_metrics_enabled = false
metric_name = join("", [var.tags.name, "-ip-set-block-metrics"])
sampled_requests_enabled = true
}
},
{
name = "Allow-only-from"
priority = 70
action = "block"
not_statement = {
ip_set_reference_statement = {
arn = module.waf.whitelisted_ip_set
}
}
visibility_config = {
cloudwatch_metrics_enabled = false
metric_name = join("", [var.tags.name, "-allow-only-from"])
sampled_requests_enabled = false
}
}
]
tags = var.tags
}
module:
resource "aws_wafv2_ip_set" "blacklisted_ip_set" {
name = join("", [var.tags.Environment, "-BadBot-blacklisted-ips"])
description = "Blacklisted IPs"
scope = var.scope
ip_address_version = "IPV4"
addresses = []
}
resource "aws_wafv2_ip_set" "whitelisted_ip_set" {
name = join("", [var.tags.Environment, "-BadBot-whitelisted-ips"])
description = "Whitelisted IPs"
scope = var.scope
ip_address_version = "IPV4"
addresses = []
}
resource "aws_wafv2_web_acl" "main" {
name = var.name_prefix
scope = var.scope
default_action {
dynamic "allow" {
for_each = var.allow_default_action ? [1] : []
content {}
}
dynamic "block" {
for_each = var.allow_default_action ? [] : [1]
content {}
}
}
dynamic "rule" {
for_each = var.rules
content {
name = lookup(rule.value, "name")
priority = lookup(rule.value, "priority")
... the rest of https://github.com/umotif-public/terraform-aws-waf-webaclv2/blob/main/main.tf
output "web_acl_name" {
value = join("", aws_wafv2_web_acl.main.*.name)
}
output "web_acl_arn" {
value = join("", aws_wafv2_web_acl.main.*.arn)
}
output "web_acl_id" {
value = join("", aws_wafv2_web_acl.main.*.id)
}
output "web_acl_capacity" {
value = join("", aws_wafv2_web_acl.main.*.capacity)
}
output "blacklisted_ip_set" {
value = aws_wafv2_ip_set.blacklisted_ip_set.arn
}
output "whitelisted_ip_set" {
value = aws_wafv2_ip_set.whitelisted_ip_set.arn
}
output "aws_kinesis_firehose_delivery_stream" {
value = aws_kinesis_firehose_delivery_stream.kinesis_firehose_logs_stream.arn
}
Hi @80kk I see that the module has been modified slightly for the IP sets. I have tested on my side using terraform 0.13.7 and the module being referenced directly from github, and it is working correctly.
I would suggest moving your IP sets out of the module, as below, and use the module without edits by sourcing it with source = "git@github.com:umotif-public/terraform-aws-waf-webaclv2.git?ref=3.1.0"
as this does work.
resource "aws_wafv2_ip_set" "custom_ip_set" {
name = "sean-test-custom-ip-set"
scope = "REGIONAL"
ip_address_version = "IPV4"
addresses = [
"192.168.1.1/32",
"127.0.0.1/32"
]
}
module "waf" {
source = "git@github.com:umotif-public/terraform-aws-waf-webaclv2.git?ref=3.1.0"
enabled = true
name_prefix = local.name_prefix
create_alb_association = false
scope = "REGIONAL"
allow_default_action = false
visibility_config = {
metric_name = "${local.name_prefix}-wafv2-metrics"
}
rules = [
{
name = "block-ips"
priority = "70"
action = "block"
not_statement = {
ip_set_reference_statement = {
arn = aws_wafv2_ip_set.custom_ip_set.arn
}
}
visibility_config = {
cloudwatch_metrics_enabled = false
metric_name = "test-waf-setup-waf-ip-set-block-metrics"
sampled_requests_enabled = false
}
}
]
]
Unfortunately as you're working with a custom edited version of the module I cannot assist further, but if you do find issues with using the module as released please feel free to open a new issue.
Thanks,
Sean
Hi, I am trying to add not_statement rule blocking any IP address not being added to white list:
` { name = "whitelisted-ip-set" priority = "60" action = "allow"
` but I am getting the following error:
Error: Error updating WAFv2 WebACL: WAFInvalidParameterException: Error reason: You have used none or multiple values for a field that requires exactly one value., field: STATEMENT, parameter: Statement { RespMetadata: { StatusCode: 400, RequestID: "7a78d73b-9df5-4100-b006-af970e911eb9" }, Field: "STATEMENT", Message_: "Error reason: You have used none or multiple values for a field that requires exactly one value., field: STATEMENT, parameter: Statement", Parameter: "Statement", Reason: "You have used none or multiple values for a field that requires exactly one value." }
How this rule should look?