Created
November 15, 2019 11:23
-
-
Save cm-kajiwara-taishi/3e705b00739bc6bd812b635166981f0e to your computer and use it in GitHub Desktop.
cloudformation-waf-uri-ipsets-rule
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| AWSTemplateFormatVersion: 2010-09-09 | |
| Metadata: | |
| AWS::CloudFormation::Interface: | |
| ParameterGroups: | |
| - Label: | |
| default: "WebACL" | |
| Parameters: | |
| - CreateWebACL | |
| - WebACLDefaultAction | |
| - Label: | |
| default: "IP Addresses" | |
| Parameters: | |
| - IPAddress1 | |
| - IPAddress2 | |
| - IPAddress3 | |
| - Label: | |
| default: "URI1" | |
| Parameters: | |
| - MatchType1 | |
| - URI1 | |
| - Label: | |
| default: "URI2" | |
| Parameters: | |
| - MatchType2 | |
| - URI2 | |
| - Label: | |
| default: "URI3" | |
| Parameters: | |
| - MatchType3 | |
| - URI3 | |
| Parameters: | |
| CreateWebACL: | |
| Type: String | |
| Default: 'Yes' | |
| AllowedValues: ['Yes','No'] | |
| WebACLDefaultAction: | |
| Type: String | |
| Default: ALLOW | |
| AllowedValues: [ALLOW,BLOCK] | |
| IPAddress1: | |
| Type: String | |
| Default: '' | |
| IPAddress2: | |
| Type: String | |
| Default: '' | |
| IPAddress3: | |
| Type: String | |
| Default: '' | |
| URI1: | |
| Type: String | |
| URI2: | |
| Type: String | |
| URI3: | |
| Type: String | |
| MatchType1: | |
| Type: String | |
| Default: '' | |
| AllowedValues: ['','CONTAINS','CONTAINS_WORD','EXACTLY','STARTS_WITH','ENDS_WITH'] | |
| MatchType2: | |
| Type: String | |
| Default: '' | |
| AllowedValues: ['','CONTAINS','CONTAINS_WORD','EXACTLY','STARTS_WITH','ENDS_WITH'] | |
| MatchType3: | |
| Type: String | |
| Default: '' | |
| AllowedValues: ['','CONTAINS','CONTAINS_WORD','EXACTLY','STARTS_WITH','ENDS_WITH'] | |
| Conditions: | |
| CreateWebACL: !Equals [ !Ref CreateWebACL, 'Yes' ] | |
| HasIPAddress1: !Not [!Equals [!Ref IPAddress1, '']] | |
| HasIPAddress2: !Not [!Equals [!Ref IPAddress2, '']] | |
| HasIPAddress3: !Not [!Equals [!Ref IPAddress3, '']] | |
| HasFieldToMatch1: !Not [!Equals [!Ref MatchType1, '']] | |
| HasFieldToMatch2: !Not [!Equals [!Ref MatchType2, '']] | |
| HasFieldToMatch3: !Not [!Equals [!Ref MatchType3, '']] | |
| Resources: | |
| WAFURISet: | |
| Type: 'AWS::WAF::ByteMatchSet' | |
| Properties: | |
| ByteMatchTuples: | |
| - !If | |
| - HasFieldToMatch1 | |
| - FieldToMatch: | |
| Type: URI | |
| PositionalConstraint: | |
| !Ref MatchType1 | |
| TargetString: | |
| !Ref URI1 | |
| TextTransformation: NONE | |
| - !Ref AWS::NoValue | |
| - !If | |
| - HasFieldToMatch2 | |
| - FieldToMatch: | |
| Type: URI | |
| PositionalConstraint: | |
| !Ref MatchType2 | |
| TargetString: | |
| !Ref URI2 | |
| TextTransformation: NONE | |
| - !Ref AWS::NoValue | |
| - !If | |
| - HasFieldToMatch3 | |
| - FieldToMatch: | |
| Type: URI | |
| PositionalConstraint: | |
| !Ref MatchType3 | |
| TargetString: | |
| !Ref URI3 | |
| TextTransformation: NONE | |
| - !Ref AWS::NoValue | |
| Name: !Sub '${AWS::StackName} - URI Set' | |
| WAFIPSet: | |
| Type: 'AWS::WAF::IPSet' | |
| Properties: | |
| IPSetDescriptors: | |
| - !If | |
| - HasIPAddress1 | |
| - Type: IPV4 | |
| Value: !Ref IPAddress1 | |
| - !Ref AWS::NoValue | |
| - !If | |
| - HasIPAddress2 | |
| - Type: IPV4 | |
| Value: !Ref IPAddress2 | |
| - !Ref AWS::NoValue | |
| - !If | |
| - HasIPAddress3 | |
| - Type: IPV4 | |
| Value: !Ref IPAddress3 | |
| - !Ref AWS::NoValue | |
| Name: !Sub '${AWS::StackName} - IP Set' | |
| WAFAllowRule: | |
| Type: 'AWS::WAF::Rule' | |
| Properties: | |
| Name: !Sub '${AWS::StackName} - Allow Path And IP Rule' | |
| MetricName: !Join ['', [!Join ['', !Split ['-', !Ref 'AWS::StackName']], 'AllowPathIPlistRule']] | |
| Predicates: | |
| - DataId: !Ref WAFURISet | |
| Negated: false | |
| Type: ByteMatch | |
| - DataId: !Ref WAFIPSet | |
| Negated: false | |
| Type: IPMatch | |
| WAFBlockRule: | |
| Type: 'AWS::WAF::Rule' | |
| Properties: | |
| Name: !Sub '${AWS::StackName} - Block Path And Not IP Rule' | |
| MetricName: !Join ['', [!Join ['', !Split ['-', !Ref 'AWS::StackName']], 'BlockPathIPlistRule']] | |
| Predicates: | |
| - DataId: !Ref WAFURISet | |
| Negated: false | |
| Type: ByteMatch | |
| - DataId: !Ref WAFIPSet | |
| Negated: true | |
| Type: IPMatch | |
| WAFWebACL: | |
| Condition: CreateWebACL | |
| Type: 'AWS::WAF::WebACL' | |
| Properties: | |
| Name: !Ref 'AWS::StackName' | |
| DefaultAction: | |
| Type: !Ref WebACLDefaultAction | |
| MetricName: !Join ['', [!Join ['', !Split ['-', !Ref 'AWS::StackName']], 'Metric']] | |
| Rules: | |
| - Action: | |
| Type: ALLOW | |
| Priority: 10 | |
| RuleId: !Ref WAFAllowRule | |
| - Action: | |
| Type: BLOCK | |
| Priority: 20 | |
| RuleId: !Ref WAFBlockRule | |
| Outputs: | |
| WAFAllowRule: | |
| Value: !Ref WAFAllowRule | |
| WAFBlockRule: | |
| Value: !Ref WAFBlockRule | |
| WAFWebACL: | |
| Condition: CreateWebACL | |
| Value: !Ref WAFWebACL | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment