Skip to content

Commit a613d91

Browse files
gcharestgcharest
authored
feat: add authorized endpoints with constraints for WAF rules (#888)
1 parent 6922777 commit a613d91

File tree

2 files changed

+39
-210
lines changed

2 files changed

+39
-210
lines changed

terraform/variables.tf

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -42,3 +42,27 @@ variable "slack_webhook_url" {
4242
type = string
4343
sensitive = true
4444
}
45+
46+
variable "authorized_endpoints_with_constraints" {
47+
description = "List of authorized endpoints with their positional constraints"
48+
type = list(object({
49+
path = string
50+
positional_constraint = string
51+
}))
52+
default = [
53+
{ path = "/auth/login", positional_constraint = "EXACTLY" },
54+
{ path = "/auth/logout", positional_constraint = "EXACTLY" },
55+
{ path = "/auth/callback", positional_constraint = "EXACTLY" },
56+
{ path = "/auth/me", positional_constraint = "EXACTLY" },
57+
{ path = "/request_access", positional_constraint = "EXACTLY" },
58+
{ path = "/active_requests", positional_constraint = "EXACTLY" },
59+
{ path = "/past_requests", positional_constraint = "EXACTLY" },
60+
{ path = "/accounts", positional_constraint = "EXACTLY" },
61+
{ path = "/geolocate", positional_constraint = "STARTS_WITH" },
62+
{ path = "/hook", positional_constraint = "STARTS_WITH" },
63+
{ path = "/version", positional_constraint = "EXACTLY" },
64+
{ path = "/static", positional_constraint = "STARTS_WITH" },
65+
{ path = "/access", positional_constraint = "STARTS_WITH" },
66+
{ path = "/health", positional_constraint = "EXACTLY" }
67+
]
68+
}

terraform/waf.tf

Lines changed: 15 additions & 210 deletions
Original file line numberDiff line numberDiff line change
@@ -151,218 +151,23 @@ resource "aws_wafv2_web_acl" "sre-bot" {
151151
}
152152

153153
statement {
154-
and_statement {
154+
not_statement {
155155
statement {
156-
not_statement {
157-
statement {
158-
byte_match_statement {
159-
search_string = "/auth/login"
160-
field_to_match {
161-
uri_path {}
156+
or_statement {
157+
dynamic "statement" {
158+
for_each = var.authorized_endpoints_with_constraints
159+
content {
160+
byte_match_statement {
161+
search_string = statement.value.path
162+
field_to_match {
163+
uri_path {}
164+
}
165+
text_transformation {
166+
priority = 0
167+
type = "NONE"
168+
}
169+
positional_constraint = statement.value.positional_constraint
162170
}
163-
text_transformation {
164-
priority = 0
165-
type = "NONE"
166-
}
167-
positional_constraint = "EXACTLY"
168-
}
169-
}
170-
}
171-
}
172-
173-
statement {
174-
not_statement {
175-
statement {
176-
byte_match_statement {
177-
search_string = "/auth/logout"
178-
field_to_match {
179-
uri_path {}
180-
}
181-
text_transformation {
182-
priority = 0
183-
type = "NONE"
184-
}
185-
positional_constraint = "EXACTLY"
186-
}
187-
}
188-
}
189-
}
190-
191-
statement {
192-
not_statement {
193-
statement {
194-
byte_match_statement {
195-
search_string = "/auth/callback"
196-
field_to_match {
197-
uri_path {}
198-
}
199-
text_transformation {
200-
priority = 0
201-
type = "NONE"
202-
}
203-
positional_constraint = "EXACTLY"
204-
}
205-
}
206-
}
207-
}
208-
209-
210-
statement {
211-
not_statement {
212-
statement {
213-
byte_match_statement {
214-
search_string = "/"
215-
field_to_match {
216-
uri_path {}
217-
}
218-
text_transformation {
219-
priority = 0
220-
type = "NONE"
221-
}
222-
positional_constraint = "EXACTLY"
223-
}
224-
}
225-
}
226-
}
227-
228-
statement {
229-
not_statement {
230-
statement {
231-
byte_match_statement {
232-
search_string = "/static"
233-
field_to_match {
234-
uri_path {}
235-
}
236-
text_transformation {
237-
priority = 0
238-
type = "NONE"
239-
}
240-
positional_constraint = "STARTS_WITH"
241-
}
242-
}
243-
}
244-
}
245-
246-
statement {
247-
not_statement {
248-
statement {
249-
byte_match_statement {
250-
search_string = "/auth/me"
251-
field_to_match {
252-
uri_path {}
253-
}
254-
text_transformation {
255-
priority = 0
256-
type = "NONE"
257-
}
258-
positional_constraint = "EXACTLY"
259-
}
260-
}
261-
}
262-
}
263-
264-
statement {
265-
not_statement {
266-
statement {
267-
byte_match_statement {
268-
search_string = "/request_access"
269-
field_to_match {
270-
uri_path {}
271-
}
272-
text_transformation {
273-
priority = 0
274-
type = "NONE"
275-
}
276-
positional_constraint = "EXACTLY"
277-
}
278-
}
279-
}
280-
}
281-
282-
statement {
283-
not_statement {
284-
statement {
285-
byte_match_statement {
286-
search_string = "/active_requests"
287-
field_to_match {
288-
uri_path {}
289-
}
290-
text_transformation {
291-
priority = 0
292-
type = "NONE"
293-
}
294-
positional_constraint = "EXACTLY"
295-
}
296-
}
297-
}
298-
}
299-
300-
statement {
301-
not_statement {
302-
statement {
303-
byte_match_statement {
304-
search_string = "/past_requests"
305-
field_to_match {
306-
uri_path {}
307-
}
308-
text_transformation {
309-
priority = 0
310-
type = "NONE"
311-
}
312-
positional_constraint = "EXACTLY"
313-
}
314-
}
315-
}
316-
}
317-
318-
statement {
319-
not_statement {
320-
statement {
321-
byte_match_statement {
322-
search_string = "/geolocate"
323-
field_to_match {
324-
uri_path {}
325-
}
326-
text_transformation {
327-
priority = 0
328-
type = "NONE"
329-
}
330-
positional_constraint = "STARTS_WITH"
331-
}
332-
}
333-
}
334-
}
335-
statement {
336-
not_statement {
337-
statement {
338-
byte_match_statement {
339-
search_string = "/hook"
340-
field_to_match {
341-
uri_path {}
342-
}
343-
text_transformation {
344-
priority = 0
345-
type = "NONE"
346-
}
347-
positional_constraint = "STARTS_WITH"
348-
}
349-
}
350-
}
351-
}
352-
353-
statement {
354-
not_statement {
355-
statement {
356-
byte_match_statement {
357-
search_string = "/version"
358-
field_to_match {
359-
uri_path {}
360-
}
361-
text_transformation {
362-
priority = 0
363-
type = "NONE"
364-
}
365-
positional_constraint = "EXACTLY"
366171
}
367172
}
368173
}

0 commit comments

Comments
 (0)