waf.tf
2.15 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
# WAF Web ACL for API Protection
resource "aws_wafv2_web_acl" "api_gateway" {
count = var.create_waf ? 1 : 0
name = "${var.api_gateway_name}-waf"
description = "WAF for User Management API Gateway"
scope = "REGIONAL"
default_action {
allow {}
}
# AWS 托管规则 - 常见攻击防护
rule {
name = "AWSManagedRulesCommonRuleSet"
priority = 1
override_action {
none {}
}
statement {
managed_rule_group_statement {
name = "AWSManagedRulesCommonRuleSet"
vendor_name = "AWS"
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "AWSManagedRulesCommonRuleSet"
sampled_requests_enabled = true
}
}
# SQL 注入防护
rule {
name = "AWSManagedRulesSQLiRuleSet"
priority = 2
override_action {
none {}
}
statement {
managed_rule_group_statement {
name = "AWSManagedRulesSQLiRuleSet"
vendor_name = "AWS"
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "AWSManagedRulesSQLiRuleSet"
sampled_requests_enabled = true
}
}
# 速率限制规则(可选)
rule {
name = "RateLimit"
priority = 10
action {
block {}
}
statement {
rate_based_statement {
limit = 2000
aggregate_key_type = "IP"
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "RateLimit"
sampled_requests_enabled = true
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "${var.api_gateway_name}-waf"
sampled_requests_enabled = true
}
tags = merge(var.tags, {
Name = "${var.api_gateway_name}-waf"
Environment = var.environment
Project = "user-management"
})
}
# Associate WAF with API Gateway
resource "aws_wafv2_web_acl_association" "api_gateway" {
count = var.create_waf ? 1 : 0
resource_arn = aws_apigatewayv2_stage.production.arn
web_acl_arn = aws_wafv2_web_acl.api_gateway[0].arn
}