Add WAF

jarrod-lowe · Aug 15, 2024 · 05a44f5 · 05a44f5
1 parent 383dbd2
commit 05a44f5
Show file tree

Hide file tree

Showing 13 changed files with 263 additions and 49 deletions.
diff --git a/.github/workflows/terraform.yaml b/.github/workflows/terraform.yaml
@@ -4,6 +4,7 @@ on:
   pull_request:
     paths:
     - terraform/environment/wildsea/**
+    - terraform/modules/wildsea/**
   push:
     branches:
     - main

diff --git a/Makefile b/Makefile
@@ -2,20 +2,33 @@ default: all
 
 TERRAFORM_ENVIRONMENTS := aws github wildsea aws-dev wildsea-dev
 TERRAFOM_VALIDATE := $(addsuffix /.validate,$(addprefix terraform/environment/, $(TERRAFORM_ENVIRONMENTS)))
+TERRAFORM_MODULES := iac-roles oidc state-bucket wildsea
 ACCOUNT_ID := $(shell aws sts get-caller-identity --query 'Account' --output text)
 AWS_REGION ?= "ap-southeast-2"
 RO_ROLE = arn:aws:iam::$(ACCOUNT_ID):role/GitHubAction-Wildsea-ro-dev
 RW_ROLE = arn:aws:iam::$(ACCOUNT_ID):role/GitHubAction-Wildsea-rw-dev
 
 all: $(TERRAFOM_VALIDATE)
 
-terraform/environment/%/.validate: terraform/environment/%/*.tf
+.PHONY: terraform-format
+terraform-format: $(addprefix terraform-format-environment-,$(TERRAFORM_ENVIRONMENTS)) $(addprefix terraform-format-module-,$(TERRAFORM_MODULES))
+	@true
+
+.PHONY: terraform-format-environment-%
+terraform-format-environment-%:
+	cd terraform/environment/$*; terraform fmt
+
+.PHONY: terraform-format-module-%
+terraform-format-module-%:
+	cd terraform/module/$*; terraform fmt
+
+terraform/environment/%/.validate: terraform/environment/%/*.tf terraform-format
 	cd terraform/environment/$* ; terraform fmt
 	cd terraform/environment/$* ; terraform validate
 	touch $@
 
 .PHONY: dev
-dev: terraform/environment/aws-dev/.apply terraform/environment/wildsea-dev/.apply
+dev: terraform-format terraform/environment/aws-dev/.apply terraform/environment/wildsea-dev/.apply
 	@true
 
 terraform/environment/aws-dev/.apply: terraform/environment/aws-dev/*.tf terraform/module/iac-roles/*.tf

diff --git a/terraform/environment/aws-dev/main.tf b/terraform/environment/aws-dev/main.tf
@@ -46,13 +46,13 @@ provider "aws" {
 }
 
 module "iac-roles" {
-  source = "../../module/iac-roles"
-  app_name = var.app_name
-  environment = var.environment
-  action_prefix = var.action_prefix
-  workspace = "none"
-  repo = var.repo
+  source           = "../../module/iac-roles"
+  app_name         = var.app_name
+  environment      = var.environment
+  action_prefix    = var.action_prefix
+  workspace        = "none"
+  repo             = var.repo
   state_bucket_arn = "arn:${data.aws_partition.current.id}:s3:::${var.state_bucket}"
-  oidc_type = "AWS"
-  oidc_arn = data.aws_caller_identity.current.account_id
+  oidc_type        = "AWS"
+  oidc_arn         = data.aws_caller_identity.current.account_id
 }
diff --git a/terraform/environment/wildsea-dev/main.tf b/terraform/environment/wildsea-dev/main.tf
@@ -28,5 +28,5 @@ module "wildsea" {
   source = "../../module/wildsea"
 
   saml_metadata_url = var.saml_metadata_url
-  prefix = local.prefix
+  prefix            = local.prefix
 }
diff --git a/terraform/environment/wildsea-dev/plan b/terraform/environment/wildsea-dev/plan
diff --git a/terraform/environment/wildsea/main.tf b/terraform/environment/wildsea/main.tf
@@ -33,5 +33,5 @@ module "wildsea" {
   source = "../../module/wildsea"
 
   saml_metadata_url = var.saml_metadata_url
-  prefix = local.prefix
+  prefix            = local.prefix
 }
diff --git a/terraform/module/iac-roles/policy.tf b/terraform/module/iac-roles/policy.tf
@@ -46,6 +46,9 @@ data "aws_iam_policy_document" "ro" {
     sid = "CognitoIdpGlobal"
     actions = [
       "cognito-idp:DescribeUserPoolDomain",
+      "appsync:SetWebACL",
+      "wafv2:GetWebACLForResource",
+      "wafv2:GetWebAcl",
     ]
     resources = [
       "*"
@@ -107,6 +110,19 @@ data "aws_iam_policy_document" "ro" {
       "arn:${data.aws_partition.current.id}:logs:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:log-group:*"
     ]
   }
+
+  statement {
+    actions = [
+      "wafv2:ListWebACLs",
+      "wafv2:ListTagsForResource",
+    ]
+    resources = ["*"]
+    condition {
+      test     = "StringEquals"
+      variable = "aws:ResourceTag/Name"
+      values   = [local.prefix]
+    }
+  }
 }
 
 data "aws_iam_policy_document" "rw" {
@@ -254,14 +270,52 @@ data "aws_iam_policy_document" "rw" {
   }
 
   statement {
-    actions = ["iam:CreateServiceLinkedRole"]
+    actions   = ["iam:CreateServiceLinkedRole"]
     resources = ["*"]
     condition {
       test     = "StringEquals"
       variable = "iam:AWSServiceName"
       values   = ["appsync.${data.aws_partition.current.dns_suffix}"]
     }
   }
+
+  statement {
+    actions = [
+      "wafv2:CreateWebAcl",
+      "wafv2:TagResource",
+    ]
+    resources = ["*"]
+    condition {
+      test     = "StringEquals"
+      variable = "aws:RequestTag/Name"
+      values   = [local.prefix]
+    }
+  }
+
+  statement {
+    actions = [
+      "wafv2:CreateWebACL",
+    ]
+    resources = [
+      "arn:aws:wafv2:ap-southeast-2:021891603679:regional/managedruleset/*/*"
+    ]
+  }
+
+  statement {
+    actions = [
+      "wafv2:UpdateWebACL",
+      "wafv2:DeleteWebACL",
+      "wafv2:ListTagsForResource",
+      "wafv2:AssociateWebACL",
+    ]
+    resources = ["*"]
+    condition {
+      test     = "StringEquals"
+      variable = "aws:ResourceTag/Name"
+      values   = [local.prefix]
+    }
+  }
+
 }
 
 data "aws_iam_policy_document" "rw_boundary" {
@@ -326,9 +380,11 @@ data "aws_iam_policy_document" "rw_boundary" {
   }
 
   statement {
-    sid = "CognitoIdpGlobal"
     actions = [
       "cognito-idp:DescribeUserPoolDomain",
+      "appsync:SetWebACL",
+      "wafv2:GetWebACLForResource",
+      "wafv2:GetWebAcl",
     ]
     resources = [
       "*"
@@ -441,12 +497,63 @@ data "aws_iam_policy_document" "rw_boundary" {
   }
 
   statement {
-    actions = ["iam:CreateServiceLinkedRole"]
+    actions   = ["iam:CreateServiceLinkedRole"]
     resources = ["*"]
     condition {
       test     = "StringEquals"
       variable = "iam:AWSServiceName"
       values   = ["appsync.${data.aws_partition.current.dns_suffix}"]
     }
   }
+
+  statement {
+    actions = [
+      "wafv2:CreateWebAcl",
+      "wafv2:TagResource",
+    ]
+    resources = ["*"]
+    condition {
+      test     = "StringEquals"
+      variable = "aws:RequestTag/Name"
+      values   = [local.prefix]
+    }
+  }
+
+  statement {
+    actions = [
+      "wafv2:CreateWebACL",
+    ]
+    resources = [
+      "arn:aws:wafv2:ap-southeast-2:021891603679:regional/managedruleset/*/*"
+    ]
+  }
+
+  statement {
+    actions = [
+      "wafv2:UpdateWebACL",
+      "wafv2:DeleteWebACL",
+      "wafv2:UpdatebACL",
+      "wafv2:ListTagsForResource",
+      "wafv2:AssociateWebACL",
+    ]
+    resources = ["*"]
+    condition {
+      test     = "StringEquals"
+      variable = "aws:ResourceTag/Name"
+      values   = [local.prefix]
+    }
+  }
+
+  statement {
+    actions = [
+      "wafv2:ListWebACLs",
+      "wafv2:ListTagsForResource",
+    ]
+    resources = ["*"]
+    condition {
+      test     = "StringEquals"
+      variable = "aws:ResourceTag/Name"
+      values   = [local.prefix]
+    }
+  }
 }
diff --git a/terraform/module/iac-roles/roles.tf b/terraform/module/iac-roles/roles.tf
@@ -9,7 +9,7 @@ resource "aws_iam_role" "ro" {
 
 data "aws_iam_policy_document" "ro_assume" {
   statement {
-    actions = [ var.oidc_type == "Federated" ? "sts:AssumeRoleWithWebIdentity" : "sts:AssumeRole" ]
+    actions = [var.oidc_type == "Federated" ? "sts:AssumeRoleWithWebIdentity" : "sts:AssumeRole"]
     principals {
       type        = var.oidc_type
       identifiers = [var.oidc_arn]
@@ -59,7 +59,7 @@ resource "aws_iam_role" "rw" {
 
 data "aws_iam_policy_document" "rw_assume" {
   statement {
-    actions = [ var.oidc_type == "Federated" ? "sts:AssumeRoleWithWebIdentity" : "sts:AssumeRole" ]
+    actions = [var.oidc_type == "Federated" ? "sts:AssumeRoleWithWebIdentity" : "sts:AssumeRole"]
     principals {
       type        = var.oidc_type
       identifiers = [var.oidc_arn]

diff --git a/terraform/module/oidc/main.tf b/terraform/module/oidc/main.tf
@@ -11,5 +11,5 @@ resource "aws_iam_openid_connect_provider" "oidc" {
 }
 
 output "oidc_arn" {
-    value = aws_iam_openid_connect_provider.oidc.arn
+  value = aws_iam_openid_connect_provider.oidc.arn
 }
diff --git a/terraform/module/state-bucket/s3.tf b/terraform/module/state-bucket/s3.tf
@@ -57,5 +57,5 @@ resource "aws_s3_bucket_versioning" "state" {
 
 output "arn" {
   description = "ARN of the state bucket"
-  value = aws_s3_bucket.state.arn
+  value       = aws_s3_bucket.state.arn
 }
diff --git a/terraform/module/wildsea/cognito.tf b/terraform/module/wildsea/cognito.tf
@@ -7,7 +7,7 @@ resource "aws_cognito_user_pool" "cognito" {
 }
 
 resource "aws_cognito_identity_provider" "idp" {
-  for_each = var.saml_metadata_url == "" ? toset([]) : toset([1])
+  for_each      = var.saml_metadata_url == "" ? toset([]) : toset([1])
   user_pool_id  = aws_cognito_user_pool.cognito.id
   provider_name = "SAML"
   provider_type = "SAML"
@@ -34,7 +34,7 @@ resource "aws_cognito_user_pool_client" "cognito" {
   logout_urls                          = ["https://TODO"]
   allowed_oauth_flows                  = ["code", "implicit"]
   allowed_oauth_scopes                 = ["openid"]
-  supported_identity_providers         = [ var.saml_metadata_url == "" ? "COGNITO" : aws_cognito_identity_provider.idp[0].provider_name ]
+  supported_identity_providers         = [var.saml_metadata_url == "" ? "COGNITO" : aws_cognito_identity_provider.idp[0].provider_name]
 }
 
 resource "aws_cognito_identity_pool" "cognito" {
@@ -86,7 +86,7 @@ resource "aws_iam_policy" "cognito" {
   name   = "${var.prefix}-user"
   policy = data.aws_iam_policy_document.cognito.json
 }
-  
+
 data "aws_iam_policy_document" "cognito" {
   statement {
     actions = [