Add support for blocking ip sets and include terratests

hblabvn · Aug 20, 2020 · 439114d · 439114d
1 parent 31c0af1
commit 439114d
Show file tree

Hide file tree

Showing 16 changed files with 889 additions and 16 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -21,3 +21,20 @@ repos:
     hooks:
       - id: terraform_docs
       - id: terraform_fmt
+
+  - repo: local
+    hooks:
+      - id: go-version
+        name: go version
+        entry: scripts/check-go-version
+        language: script
+        types: [go]
+
+  - repo: local
+    hooks:
+      - id: gomod
+        name: gomod
+        entry: scripts/pre-commit-go-mod
+        language: script
+        files: go.mod
+        pass_filenames: false
diff --git a/Makefile b/Makefile
@@ -0,0 +1,18 @@
+.PHONY: ensure_pre_commit
+ensure_pre_commit: .git/hooks/pre-commit ## Ensure pre-commit is installed
+.git/hooks/pre-commit: /usr/local/bin/pre-commit
+	pre-commit install
+	pre-commit install-hooks
+
+.PHONY: pre_commit_tests
+pre_commit_tests: ensure_pre_commit ## Run pre-commit tests
+	pre-commit run --all-files
+
+.PHONY: test
+test: pre_commit_tests
+	  scripts/make-test
+
+.PHONY: clean
+clean:
+	rm -f .*.stamp
+	rm -rf bin
diff --git a/README.md b/README.md
@@ -1,6 +1,10 @@
 # terraform-aws-wafv2
 
-Creates a WAF using AWS WAFv2 and AWS Managed Rule Sets. Module supports association with CloudFront or Application Load Balancers (ALB).
+Creates AWS WAFv2 ACL and supports the following
+
+* AWS Managed Rule Sets
+* Associating with Application Load Balancers (ALB)
+* Blocking IP Sets
 
 ## Usage with CloudFront
 
@@ -26,11 +30,41 @@ module "alb_wafv2" {
   name  = "alb-web-acl"
   scope = "REGIONAL"
 
-  associate_alb = true
   alb_arn       = aws_lb.alb.arn
 }
 ```
 
+## Usage blocking IP Sets
+
+```hcl
+resource "aws_wafv2_ip_set" "ipset" {
+  name = "blocked_ips"
+
+  scope              = "REGIONAL"
+  ip_address_version = "IPV4"
+
+  addresses = [
+    "1.2.3.4/32",
+    "5.6.7.8/32"
+  ]
+}
+
+module "wafv2" {
+  source = "../../"
+
+  name   = "wafv2"
+  scope = "REGIONAL"
+
+  blocked_ip_rules = [
+    {
+      name       = "blocked_ips"
+      priority   = 1
+      ip_set_arn = aws_wafv2_ip_set.ipset.arn
+    }
+  ]
+}
+```
+
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
 
@@ -49,8 +83,8 @@ module "alb_wafv2" {
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| alb\_arn | ARN of the Application Load Balancer (ALB) to be associated with the Web Application Firewall (WAF) Access Control List (ACL). | `string` | `""` | no |
-| associate\_alb | Whether to associate an Application Load Balancer (ALB) with an Web Application Firewall (WAF) Access Control List (ACL). | `bool` | `false` | no |
+| alb\_arn | ARN of the ALB to be associated with the WAFv2 ACL. | `string` | `""` | no |
+| blocked\_ip\_sets | List of IP Sets to block. | <pre>list(object({<br>    name       = string<br>    priority   = number<br>    ip_set_arn = string<br>  }))</pre> | `[]` | no |
 | managed\_rules | List of Managed WAF rules. | <pre>list(object({<br>    name            = string<br>    priority        = number<br>    override_action = string<br>    excluded_rules  = list(string)<br>  }))</pre> | <pre>[<br>  {<br>    "excluded_rules": [],<br>    "name": "AWSManagedRulesCommonRuleSet",<br>    "override_action": "none",<br>    "priority": 10<br>  },<br>  {<br>    "excluded_rules": [],<br>    "name": "AWSManagedRulesAmazonIpReputationList",<br>    "override_action": "none",<br>    "priority": 20<br>  },<br>  {<br>    "excluded_rules": [],<br>    "name": "AWSManagedRulesKnownBadInputsRuleSet",<br>    "override_action": "none",<br>    "priority": 30<br>  },<br>  {<br>    "excluded_rules": [],<br>    "name": "AWSManagedRulesSQLiRuleSet",<br>    "override_action": "none",<br>    "priority": 40<br>  },<br>  {<br>    "excluded_rules": [],<br>    "name": "AWSManagedRulesLinuxRuleSet",<br>    "override_action": "none",<br>    "priority": 50<br>  },<br>  {<br>    "excluded_rules": [],<br>    "name": "AWSManagedRulesUnixRuleSet",<br>    "override_action": "none",<br>    "priority": 60<br>  }<br>]</pre> | no |
 | name | A friendly name of the WebACL. | `string` | n/a | yes |
 | scope | The scope of this Web ACL. Valid options: CLOUDFRONT, REGIONAL. | `string` | n/a | yes |
@@ -60,6 +94,30 @@ module "alb_wafv2" {
 
 | Name | Description |
 |------|-------------|
-| web\_acl\_id | n/a |
+| web\_acl\_id | The ARN of the WAF WebACL. |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+## Developer Setup
+
+Install dependencies (macOS)
+
+```shell
+brew install pre-commit go terraform terraform-docs
+pre-commit install --install-hooks
+```
+
+### Testing
+
+[Terratest](https://github.com/gruntwork-io/terratest) is being used for
+automated testing with this module. Tests in the `test` folder can be run
+locally by running the following command:
+
+```text
+make test
+```
+
+Or with aws-vault:
+
+```text
+AWS_VAULT_KEYCHAIN_NAME=<NAME> aws-vault exec <PROFILE> -- make test
diff --git a/examples/ip_sets/main.tf b/examples/ip_sets/main.tf
@@ -0,0 +1,45 @@
+resource "aws_wafv2_ip_set" "ipset" {
+  name = "ip_set_${var.test_name}1"
+
+  scope              = "REGIONAL"
+  ip_address_version = "IPV4"
+
+  addresses = [
+    "1.2.3.4/32",
+    "5.6.7.8/32"
+  ]
+}
+
+resource "aws_wafv2_ip_set" "ipset2" {
+  name = "ip_set_${var.test_name}2"
+
+  scope              = "REGIONAL"
+  ip_address_version = "IPV4"
+
+  addresses = [
+    "9.10.11.12/32",
+    "12.14.15.16/32"
+  ]
+}
+
+module "wafv2" {
+  source = "../../"
+  name   = var.test_name
+
+  scope = "REGIONAL"
+
+  blocked_ip_sets = [
+    {
+      name       = "ip_set_${var.test_name}1"
+      priority   = 1
+      ip_set_arn = aws_wafv2_ip_set.ipset.arn
+    },
+    {
+      name       = "ip_set_${var.test_name}2"
+      priority   = 2
+      ip_set_arn = aws_wafv2_ip_set.ipset.arn
+    }
+
+  ]
+}
+
diff --git a/examples/ip_sets/variables.tf b/examples/ip_sets/variables.tf
@@ -0,0 +1,3 @@
+variable "test_name" {
+  type = string
+}
diff --git a/examples/simple_alb/main.tf b/examples/simple_alb/main.tf
@@ -0,0 +1,27 @@
+module "wafv2" {
+  source = "../../"
+  name   = var.test_name
+
+  scope   = "REGIONAL"
+  alb_arn = aws_lb.alb.arn
+}
+
+resource "aws_lb" "alb" {
+  name               = var.test_name
+  internal           = false
+  load_balancer_type = "application"
+  subnets            = module.vpc.public_subnets
+}
+
+module "vpc" {
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "~> 2"
+  name    = var.test_name
+  cidr    = "10.0.0.0/16"
+  azs     = var.vpc_azs
+  public_subnets = [
+    "10.0.101.0/24",
+    "10.0.102.0/24",
+    "10.0.103.0/24"
+  ]
+}
diff --git a/examples/simple_alb/variables.tf b/examples/simple_alb/variables.tf
@@ -0,0 +1,7 @@
+variable "test_name" {
+  type = string
+}
+
+variable "vpc_azs" {
+  type = list(string)
+}
diff --git a/go.mod b/go.mod
@@ -0,0 +1,5 @@
+module github.com/trussworks/terraform-aws-wafv2
+
+go 1.14
+
+require github.com/gruntwork-io/terratest v0.28.13