-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathmain.tf
50 lines (39 loc) · 1.16 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
data "aws_region" "current" {}
data "aws_caller_identity" "current" {}
# The wafregional resources are for ALBs in an AWS region, if we just used *_waf_* resources it would be in effect for
# Cloudfront
resource "aws_wafregional_web_acl" "app_acl" {
default_action {
type = "ALLOW"
}
metric_name = "${var.app}webacl${var.env}"
name = "${var.app}-web-acl-${var.env}"
# Here we attach all of the rules we've created to the ACL. Lower priority values means they will be evaluated first.
# Valid values for the type in the action block of the rule are: BLOCK, ALLOW, and COUNT.
rule {
action {
type = var.SQLI_ACTION
}
priority = 1
rule_id = aws_wafregional_rule.sql-inj-rule.id
}
rule {
action {
type = var.BYTE_MATCH_ACTION
}
priority = 2
rule_id = aws_wafregional_rule.byte-match-rule.id
}
rule {
action {
type = var.IP_ACTION
}
priority = 3
rule_id = aws_wafregional_rule.WAFIPRule.id
}
}
# Associate our WEB ACL with the ALB
resource "aws_wafregional_web_acl_association" "alb-association" {
resource_arn = var.alb_arn
web_acl_id = aws_wafregional_web_acl.app_acl.id
}