Recently we decided it would be a good idea to setup a Web Application Firewall for one of our applications after we noticed a good bit of scraping for PHP related pages. While there are provided examples for using CloudFormation templates, we use Terraform, and where possible would like to stay consistent in our infrastructure as code solution. Terraform examples were somewhat lacking, so that's why we decided to open up this module so that it may save others in the same boat some time.
This is Juice Analytics' first open sourced Terraform module and any feedback or contribution is welcome!
The module currently only takes 3 variables: app name, environment, and ALB ARN to attach to.
Imposter syndrome disclaimer: We want your help. No really, we do.
There might be a little voice inside that tells you you're not ready; that you need to do one more tutorial, or learn another framework, or write a few more blog posts before you can help me with this project.
I assure you, that's not the case.
This project has some clear Contribution Guidelines and expectations that you can read here.
The contribution guidelines outline the process that you'll need to follow to get a patch merged. By making expectations and process explicit, I hope it will make it easier for you to contribute.
And you don't just have to write code. You can help out by writing documentation, tests, or even by giving feedback about this work. (And yes, that includes giving feedback about the contribution guidelines.)
Thank you for contributing and thanks to Juice's very own Director of Engineering addriennefriend for this contribution guide!
Updates the Lambda runtime for the WAFIPLambda from nodejs6.10 to nodejs8.10 since 6.10 is reaching end of life. Runs as is with no need to repackage or change any code. Seems to run at least 50% faster than the 6.10 runtime in the few test runs I've made.
Added the example available in the CloudFormation template that automatically updates known malicious IP addresses and blocks them. A Lambda is deployed that runs in conjunction with a Cloudwatch Rule and Event Target to update the IP list hourly. There is a aws_wafregional_ipset for a Whitelist that's defined for convenience, but it's currently not populated automatically. You can customize its use for your purposes.
This first version of the module sets up the SQL injection rules that were setup in the CloudFormation template, as well as a bytematch rule to filter any attempts to access .php pages to take care of the probing/scraping requests we were seeing in the logs.