7

我创建了以下 AWS WAF ACL,我想使用 terraform 将它与我的 ALB 相关联。有什么办法可以使用 terraform 做到这一点?我想阻止所有请求,除了那些使用亚马逊 Web 服务 Web 应用程序防火墙 aws waf 具有密钥的请求。为此,我创建了 byte_set、aws 规则和访问控制列表、ACL

    resource "aws_alb" "app" {
    ............
  }


#waf
resource "aws_waf_byte_match_set" "byte_set" {
  name = "tf_waf_byte_match_set"

  byte_match_tuples {
    text_transformation   = "NONE"
    target_string         = "${var.secret_key}"
    positional_constraint = "EXACTLY"

    field_to_match {
      type = "HEADER"
      data = "referer"
    }
  }
}

resource "aws_waf_rule" "wafrule" {
  depends_on  = ["aws_waf_byte_match_set.byte_set"]
  name        = "tfWAFRule"
  metric_name = "tfWAFRule"

  predicates {
    data_id = "${aws_waf_byte_match_set.byte_set.id}"
    negated = false
    type    = "ByteMatch"
  }
}

resource "aws_waf_web_acl" "waf_acl" {
  depends_on  = ["aws_waf_byte_match_set.byte_set", "aws_waf_rule.wafrule"]
  name        = "tfWebACL"
  metric_name = "tfWebACL"

  default_action {
    type = "BLOCK"
  }

  rules {
    action {
      type = "ALLOW"
    }

    priority = 1
    rule_id  = "${aws_waf_rule.wafrule.id}"
  }
}
4

3 回答 3

5

当然,这里有一个 WAFv2 资源示例(我建议使用这个),其中包含速率限制示例规则以及与 ALB 的关联:

########### This is the creation of an WAFv2 (Web ACL) and a example rate limit rule

resource "aws_wafv2_web_acl" "my_web_acl" {
  name  = "my-web-acl"
  scope = "REGIONAL"

  default_action {
    allow {}
  }

  rule {
    name     = "RateLimit"
    priority = 1

    action {
      block {}
    }

    statement {

      rate_based_statement {
        aggregate_key_type = "IP"
        limit              = 500
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "RateLimit"
      sampled_requests_enabled   = true
    }
  }

  visibility_config {
    cloudwatch_metrics_enabled = false
    metric_name                = "my-web-acl"
    sampled_requests_enabled   = false
  }
}

########### This is the association code

resource "aws_wafv2_web_acl_association" "web_acl_association_my_lb" {
  resource_arn = aws_lb.my_lb.arn
  web_acl_arn  = aws_wafv2_web_acl.my_web_acl.arn
}
于 2020-10-01T07:56:31.187 回答
4

您可以将 WAF 与 ALB(应用程序负载均衡器)关联,而与 CloudFront 关联,您不能将其与 ELB(经典弹性负载均衡器)关联。

要与 ALB 关联,这是一段代码

resource "aws_wafregional_web_acl_association" "foo" {
  resource_arn = "${aws_alb.foo.arn}"
  web_acl_id = "${aws_wafregional_web_acl.foo.id}"
}

取自官方文档

于 2018-08-02T08:00:11.440 回答
0

此功能已提出但尚未合并。

于 2017-03-26T09:52:12.937 回答