Terraform WAF Web ACL 资源没用？

Question

Terraform 提供了一个WAF Web ACL Resource. 它可以连接到使用 terraform 的任何东西（例如 ALB）上还是没用？

Answer 1

随着1.12 AWS 提供商的发布，现在可以直接创建区域 WAF 资源以与负载均衡器一起使用。

现在，您可以创建任意的aws_wafregional_byte_match_set，aws_wafregional_ipset，aws_wafregional_size_constraint_set，aws_wafregional_sql_injection_match_set或aws_wafregional_xss_match_set，连接这些对aws_wafregional_rule谓语，然后依次加入WAF规则的aws_wafregional_web_acl。最后，您可以将区域 WAF 附加到具有aws_wafregional_web_acl_association资源的负载均衡器。

区域 WAF Web ACL 关联资源文档提供了一个有用的示例，说明它们如何链接在一起：

resource "aws_wafregional_ipset" "ipset" {
  name = "tfIPSet"

  ip_set_descriptor {
    type  = "IPV4"
    value = "192.0.7.0/24"
  }
}

resource "aws_wafregional_rule" "foo" {
  name        = "tfWAFRule"
  metric_name = "tfWAFRule"

  predicate {
    data_id = "${aws_wafregional_ipset.ipset.id}"
    negated = false
    type    = "IPMatch"
  }
}

resource "aws_wafregional_web_acl" "foo" {
  name = "foo"
  metric_name = "foo"
  default_action {
    type = "ALLOW"
  }
  rule {
    action {
      type = "BLOCK"
    }
    priority = 1
    rule_id = "${aws_wafregional_rule.foo.id}"
  }
}

resource "aws_vpc" "foo" {
  cidr_block = "10.1.0.0/16"
}

data "aws_availability_zones" "available" {}

resource "aws_subnet" "foo" {
  vpc_id = "${aws_vpc.foo.id}"
  cidr_block = "10.1.1.0/24"
  availability_zone = "${data.aws_availability_zones.available.names[0]}"
}

resource "aws_subnet" "bar" {
  vpc_id = "${aws_vpc.foo.id}"
  cidr_block = "10.1.2.0/24"
  availability_zone = "${data.aws_availability_zones.available.names[1]}"
}

resource "aws_alb" "foo" {
  internal = true
  subnets = ["${aws_subnet.foo.id}", "${aws_subnet.bar.id}"]
}

resource "aws_wafregional_web_acl_association" "foo" {
  resource_arn = "${aws_alb.foo.arn}"
  web_acl_id = "${aws_wafregional_web_acl.foo.id}"
}

原帖：

区域 WAF 资源已陷入审查和人们放弃拉取请求的混合体中，但计划在AWS 提供商 1.12.0 版本中发布。

目前只有字节匹配集和IP 地址集资源可用，因此如果没有规则、ACL 和关联资源来实际做事，它们就没有多大用处。

在此之前，您可以将 CloudFormation 与 Terraform 自己的逃生舱aws_cloudformation_stack资源一起使用，如下所示：

resource "aws_lb" "load_balancer" {
  ...
}

resource "aws_cloudformation_stack" "waf" {
  name = "waf-example"

  parameters {
    ALBArn = "${aws_lb.load_balancer.arn}"
  }

  template_body = <<STACK
Parameters:
  ALBArn:
    Type: String

Resources:
  WAF:
    Type: AWS::WAFRegional::WebACL
    Properties:
      Name: WAF-Example
      DefaultAction:
        Type: BLOCK
      MetricName: WafExample
      Rules:
        - Action:
            Type: ALLOW
          Priority: 2
          RuleId:
            Ref: WhitelistRule

  WhitelistRule:
    Type: AWS::WAFRegional::Rule
    Properties:
      Name: WAF-Example-Whitelist
      MetricName: WafExampleWhiteList
      Predicates:
        - DataId:
            Ref: ExternalAPIURI
          Negated: false
          Type: ByteMatch

  ExternalAPIURI:
    Type: AWS::WAFRegional::ByteMatchSet
    Properties:
      Name: WAF-Example-StringMatch
      ByteMatchTuples:
        - FieldToMatch:
            Type: URI
          PositionalConstraint: STARTS_WITH
          TargetString: /public/
          TextTransformation: NONE

  WAFALBattachment:
    Type: AWS::WAFRegional::WebACLAssociation
    Properties:
      ResourceArn:
        Ref: ALBArn
      WebACLId:
        Ref: WAF
STACK
}