Ecs waf lb fixes (#93)

* Adding WAF for ECS
* Minor fixes for ELB

Author: LeoDiazL

README.md

@@ -57,6 +57,7 @@ jobs:
 1. [VPC](#vpc-inputs)
 1. [AWS Route53 Domains and Certificates](#aws-route53-domains-and-certificate-inputs)
 1. [Load Balancer](#load-balancer-inputs)
+1. [WAF](#waf)
 1. [EFS](#efs-inputs)
 1. [RDS](#rds-inputs)
 1. [Amazon Aurora Inputs](#aurora-inputs)
@@ -210,9 +211,32 @@ The following inputs can be used as `step.with` keys
 <hr/>
 <br/>
 
-#### **EFS Inputs**
+#### **WAF**
 | Name             | Type    | Description                        |
 |------------------|---------|------------------------------------|
+| `aws_waf_enable` | Boolean | Enable WAF for load balancer (LB only - NOT ELB). Default is `false` |
+| `aws_waf_logging_enable`| Boolean | Enable WAF logging to CloudWatch. Default `false` |
+| `aws_waf_log_retention_days`| Number | CloudWatch log retention period for WAF logs. Default `30` |
+| `aws_waf_rule_rate_limit`| String | Rate limit for WAF rules. Default is `2000` |
+| `aws_waf_rule_managed_rules`| Boolean | Enable common managed rule groups to use. Default `false` |
+| `aws_waf_rule_managed_bad_inputs`| Boolean | Enable managed rule for bad inputs. Default `false` |
+| `aws_waf_rule_ip_reputation`| Boolean | Enable managed rule for IP reputation. Default `false` |
+| `aws_waf_rule_anonymous_ip`| Boolean | Enable managed rule for anonymous IP. Default `false` |
+| `aws_waf_rule_bot_control`| Boolean | Enable managed rule for bot control (costs extra). Default `false` |
+| `aws_waf_rule_geo_block_countries`| String | Comma separated list of countries to block. |
+| `aws_waf_rule_geo_allow_only_countries`| String | Comma separated list of countries to allow. |
+| `aws_waf_rule_sqli`| Boolean | Enable managed rule for SQL injection. Default `false` |
+| `aws_waf_rule_linux`| Boolean | Enable managed rule for Linux. Default `false` |
+| `aws_waf_rule_unix`| Boolean | Enable managed rule for Unix. Default `false` |
+| `aws_waf_rule_admin_protection`| Boolean | Enable managed rule for admin protection. Default `false` |
+| `aws_waf_rule_user_arn`| String | String of the user created ARN set of rules. |
+| `aws_waf_additional_tags`| String | A list of strings that will be added to created resources. Default `"{}"` |
+<hr/>
+<br/>
+
+#### **EFS Inputs**
+| Name             | Type    | Descrifption                        |
+|------------------|---------|------------------------------------|
 | `aws_efs_create` | Boolean | Toggle to indicate whether to create an EFS volume and mount it to the EC2 instance as a part of the provisioning. Note: The stack will manage the EFS and will be destroyed along with the stack. |
 | `aws_efs_fs_id` | String | ID of existing EFS volume if you wish to use an existing one. |
 | `aws_efs_create_mount_target` | String | Toggle to indicate whether we should create a mount target for the EFS volume or not. Defaults to `true`.|
@@ -457,7 +481,7 @@ The following inputs can be used as `step.with` keys
 | `aws_ecr_repo_read_arn` | String | The ARNs of the IAM users/roles that have read access to the repository. (Comma separated list)' |
 | `aws_ecr_repo_write_arn` | String | The ARNs of the IAM users/roles that have read/write access to the repository. (Comma separated list)' |
 | `aws_ecr_repo_read_arn_lambda` | String | The ARNs of the Lambda service roles that have read access to the repository. (Comma separated list)' |
-| `aws_ecr_lifecycle_policy_input` | String | The policy document. This is a JSON formatted string. See more details about [Policy Parameters](http://docs.aws.amazon.com/AmazonECR/latest/userguide/LifecyclePolicies.html#lifecycle_policy_parameters) in the official AWS docs' |
+| `aws_ecr_lifecycle_policy_input` | JSON | The policy document. This is a JSON formatted string. See more details about [Policy Parameters](http://docs.aws.amazon.com/AmazonECR/latest/userguide/LifecyclePolicies.html#lifecycle_policy_parameters) in the official AWS docs' |
 | `aws_ecr_public_repo_catalog` | String | Catalog data configuration for the repository. Defaults to `{}`.' |
 | `aws_ecr_registry_policy_input` | String | The policy document. This is a JSON formatted string' |
 | `aws_ecr_additional_tags ` | JSON | Add additional tags to the terraform [default tags](https://www.hashicorp.com/blog/default-tags-in-the-terraform-aws-provider), any tags put here will be added to ECR provisioned resources.|
@@ -731,4 +755,4 @@ We would love for you to contribute to [bitovi/github-actions-deploy-docker-to-e
 Would you like to see additional features?  [Create an issue](https://github.com/bitovi/github-actions-deploy-docker-to-ec2/issues/new) or a [Pull Requests](https://github.com/bitovi/github-actions-deploy-docker-to-ec2/pulls). We love discussing solutions!
 
 ## License
-The scripts and documentation in this project are released under the [MIT License](https://github.com/bitovi/github-actions-deploy-docker-to-ec2/blob/main/LICENSE).
+The scripts and documentation in this project are released under the [MIT License](https://github.com/bitovi/github-actions-deploy-docker-to-ec2/blob/main/LICENSE).

action.yaml

@@ -280,6 +280,59 @@ inputs:
     description: 'A JSON object of additional tags that will be included on created resources. Example: `{"key1": "value1", "key2": "value2"}`'
     required: false
 
+  # AWS WAF
+  aws_waf_enable:
+    description: 'Enable WAF for load balancer.'
+    required: false
+  aws_waf_logging_enable:
+    description: 'Enable WAF logging to CloudWatch.'
+    required: false
+  aws_waf_log_retention_days:
+    description: 'CloudWatch log retention period for WAF logs.'
+    required: false
+  aws_waf_rule_rate_limit:
+    description: 'Rate limit for WAF rules.'
+    required: false
+  aws_waf_rule_managed_rules:
+    description: 'Enable common managed rule groups to use.'
+    required: false
+  aws_waf_rule_managed_bad_inputs:
+    description: 'Enable managed rule for bad inputs.'
+    required: false
+  aws_waf_rule_ip_reputation:
+    description: 'Enable managed rule for IP reputation.'
+    required: false
+  aws_waf_rule_anonymous_ip:
+    description: 'Enable managed rule for anonymous IP.'
+    required: false
+  aws_waf_rule_bot_control:
+    description: 'Enable managed rule for bot control (costs extra).'
+    required: false
+  aws_waf_rule_geo_block_countries:
+    description: 'Comma separated list of countries to block.'
+    required: false
+  aws_waf_rule_geo_allow_only_countries:
+    description: 'Comma separated list of countries to allow.'
+    required: false
+  aws_waf_rule_sqli:
+    description: 'Enable managed rule for SQL injection.'
+    required: false
+  aws_waf_rule_linux:
+    description: 'Enable managed rule for Linux.'
+    required: false
+  aws_waf_rule_unix:
+    description: 'Enable managed rule for Unix.'
+    required: false
+  aws_waf_rule_admin_protection:
+    description: 'Enable managed rule for admin protection.'
+    required: false
+  aws_waf_rule_user_arn:
+    description: 'ARN of the user rule.'
+    required: false
+  aws_waf_additional_tags:
+    description: 'A JSON object of additional tags that will be included on created resources. Example: `{"key1": "value1", "key2": "value2"}`'
+    required: false
+
   # AWS EFS
   aws_efs_create: 
     description: 'Toggle to indicate whether to create and EFS and mount it to the ec2 as a part of the provisioning. Note: The EFS will be managed by the stack and will be destroyed along with the stack.'
@@ -1200,6 +1253,25 @@ runs:
         AWS_ELB_ACCESS_LOG_EXPIRE: ${{ inputs.aws_elb_access_log_expire }}
         AWS_ELB_ADDITIONAL_TAGS: ${{ inputs.aws_elb_additional_tags }}
 
+        # AWS WAF
+        AWS_WAF_ENABLE: ${{ inputs.aws_waf_enable }}
+        AWS_WAF_LOGGING_ENABLE: ${{ inputs.aws_waf_logging_enable }}
+        AWS_WAF_LOG_RETENTION_DAYS: ${{ inputs.aws_waf_log_retention_days }}
+        AWS_WAF_ADDITIONAL_TAGS: ${{ inputs.aws_waf_additional_tags }}
+        AWS_WAF_RULE_RATE_LIMIT: ${{ inputs.aws_waf_rule_rate_limit }}
+        AWS_WAF_RULE_MANAGED_RULES: ${{ inputs.aws_waf_rule_managed_rules }}
+        AWS_WAF_RULE_MANAGED_BAD_INPUTS: ${{ inputs.aws_waf_rule_managed_bad_inputs }}
+        AWS_WAF_RULE_IP_REPUTATION: ${{ inputs.aws_waf_rule_ip_reputation }}
+        AWS_WAF_RULE_ANONYMOUS_IP: ${{ inputs.aws_waf_rule_anonymous_ip }}
+        AWS_WAF_RULE_BOT_CONTROL: ${{ inputs.aws_waf_rule_bot_control }}
+        AWS_WAF_RULE_GEO_BLOCK_COUNTRIES: ${{ inputs.aws_waf_rule_geo_block_countries }}
+        AWS_WAF_RULE_GEO_ALLOW_ONLY_COUNTRIES: ${{ inputs.aws_waf_rule_geo_allow_only_countries }}
+        AWS_WAF_RULE_USER_ARN: ${{ inputs.aws_waf_rule_user_arn }}
+        AWS_WAF_RULE_SQLI: ${{ inputs.aws_waf_rule_sqli }}
+        AWS_WAF_RULE_LINUX: ${{ inputs.aws_waf_rule_linux }}
+        AWS_WAF_RULE_UNIX: ${{ inputs.aws_waf_rule_unix }}
+        AWS_WAF_RULE_ADMIN_PROTECTION: ${{ inputs.aws_waf_rule_admin_protection }}
+
         # AWS EFS
         AWS_EFS_CREATE: ${{ inputs.aws_efs_create }}
         AWS_EFS_FS_ID: ${{ inputs.aws_efs_fs_id }}

operations/_scripts/generate/generate_provider.sh

@@ -74,6 +74,6 @@ provider \"kubernetes\" {
 }" >> "${GITHUB_ACTION_PATH}/operations/deployment/terraform/$1/bitovi_provider.tf"
 }
 
-generate_provider_aws aws ec2,r53,elb,efs,vpc,rds,aurora,ecs,db_proxy,redis,eks,ecr 
+generate_provider_aws aws ec2,r53,elb,efs,vpc,rds,aurora,ecs,db_proxy,redis,eks,ecr,waf
 
 echo "Done with generate_provider.sh"

operations/_scripts/generate/generate_vars_terraform.sh

@@ -132,6 +132,27 @@ if [[ $(alpha_only "$AWS_ELB_CREATE") == true ]]; then
   aws_elb_additional_tags=$(generate_var aws_elb_additional_tags $AWS_ELB_ADDITIONAL_TAGS)
 fi
 
+#-- AWS WAF --#
+if [[ $(alpha_only "$AWS_WAF_ENABLE") == true ]]; then
+  aws_waf_enable=$(generate_var aws_waf_enable $AWS_WAF_ENABLE)
+  aws_waf_logging_enable=$(generate_var aws_waf_logging_enable $AWS_WAF_LOGGING_ENABLE)
+  aws_waf_log_retention_days=$(generate_var aws_waf_log_retention_days $AWS_WAF_LOG_RETENTION_DAYS)
+  aws_waf_additional_tags=$(generate_var aws_waf_additional_tags $AWS_WAF_ADDITIONAL_TAGS)
+  aws_waf_rule_rate_limit=$(generate_var aws_waf_rule_rate_limit $AWS_WAF_RULE_RATE_LIMIT)
+  aws_waf_rule_managed_rules=$(generate_var aws_waf_rule_managed_rules $AWS_WAF_RULE_MANAGED_RULES)
+  aws_waf_rule_managed_bad_inputs=$(generate_var aws_waf_rule_managed_bad_inputs $AWS_WAF_RULE_MANAGED_BAD_INPUTS)
+  aws_waf_rule_ip_reputation=$(generate_var aws_waf_rule_ip_reputation $AWS_WAF_RULE_IP_REPUTATION)
+  aws_waf_rule_anonymous_ip=$(generate_var aws_waf_rule_anonymous_ip $AWS_WAF_RULE_ANONYMOUS_IP)
+  aws_waf_rule_bot_control=$(generate_var aws_waf_rule_bot_control $AWS_WAF_RULE_BOT_CONTROL)
+  aws_waf_rule_geo_block_countries=$(generate_var aws_waf_rule_geo_block_countries $AWS_WAF_RULE_GEO_BLOCK_COUNTRIES)
+  aws_waf_rule_geo_allow_only_countries=$(generate_var aws_waf_rule_geo_allow_only_countries $AWS_WAF_RULE_GEO_ALLOW_ONLY_COUNTRIES)
+  aws_waf_rule_user_arn=$(generate_var aws_waf_rule_user_arn $AWS_WAF_RULE_USER_ARN)
+  aws_waf_rule_sqli=$(generate_var aws_waf_rule_sqli $AWS_WAF_RULE_SQLI)
+  aws_waf_rule_linux=$(generate_var aws_waf_rule_linux $AWS_WAF_RULE_LINUX)
+  aws_waf_rule_unix=$(generate_var aws_waf_rule_unix $AWS_WAF_RULE_UNIX)
+  aws_waf_rule_admin_protection=$(generate_var aws_waf_rule_admin_protection $AWS_WAF_RULE_ADMIN_PROTECTION)
+fi
+
 #-- AWS EFS --#
 if [[ $(alpha_only "$AWS_EFS_ENABLE") == true ]]; then
   aws_efs_enable=$(generate_var aws_efs_enable $AWS_EFS_ENABLE)
@@ -470,6 +491,25 @@ $aws_elb_access_log_expire
 $aws_elb_access_log_bucket_name
 $aws_elb_additional_tags
 
+#-- WAF --#
+$aws_waf_enable
+$aws_waf_logging_enable
+$aws_waf_log_retention_days
+$aws_waf_additional_tags
+$aws_waf_rule_rate_limit
+$aws_waf_rule_managed_rules
+$aws_waf_rule_managed_bad_inputs
+$aws_waf_rule_ip_reputation
+$aws_waf_rule_anonymous_ip
+$aws_waf_rule_bot_control
+$aws_waf_rule_geo_block_countries
+$aws_waf_rule_geo_allow_only_countries
+$aws_waf_rule_user_arn
+$aws_waf_rule_sqli
+$aws_waf_rule_linux
+$aws_waf_rule_unix
+$aws_waf_rule_admin_protection
+
 #-- EFS --#
 $aws_efs_enable
 $aws_efs_create

operations/deployment/terraform/aws/aws_variables.tf

@@ -327,6 +327,111 @@ variable "aws_elb_additional_tags" {
   default     = "{}"
 }
 
+# AWS LB
+
+# AWS WAF
+variable "aws_waf_enable" {
+  type        = bool
+  description = "Enable WAF for load balancer"
+  default     = false
+}
+
+variable "aws_waf_logging_enable" {
+  type        = bool
+  description = "Enable WAF logging to CloudWatch"
+  default     = false
+}
+
+variable "aws_waf_log_retention_days" {
+  type        = number
+  description = "CloudWatch log retention period for WAF logs"
+  default     = 30
+}
+
+variable "aws_waf_additional_tags" {
+  type        = string
+  description = "A list of strings that will be added to created resources"
+  default     = "{}"
+}
+
+variable "aws_waf_rule_rate_limit" {
+  type        = string
+  description = "Rate limit for WAF rules"
+  default     = "2000"
+}
+
+variable "aws_waf_rule_managed_rules" {
+  type        = bool
+  description = "Enable common managed rule groups to use"
+  default     = false
+}
+
+variable "aws_waf_rule_managed_bad_inputs" {
+  type        = bool
+  description = "Enable managed rule for bad inputs"
+  default     = false
+}
+
+variable "aws_waf_rule_ip_reputation" {
+  type        = bool
+  description = "Enable managed rule for IP reputation"
+  default     = false
+}
+
+variable "aws_waf_rule_anonymous_ip" {
+  type        = bool
+  description = "Enable managed rule for anonymous IP"
+  default     = false
+}
+
+variable "aws_waf_rule_bot_control" {
+  type        = bool
+  description = "Enable managed rule for bot control (costs extra)"
+  default     = false
+}
+
+variable "aws_waf_rule_geo_block_countries" {
+  type        = string
+  description = "Comma separated list of countries to block"
+  default     = ""
+}
+
+variable "aws_waf_rule_geo_allow_only_countries" {
+  type        = string
+  description = "Comma separated list of countries to allow"
+  default     = ""
+}
+
+variable "aws_waf_rule_sqli" {
+  type        = bool
+  description = "Enable managed rule for SQL injection"
+  default     = false
+}
+
+variable "aws_waf_rule_linux" {
+  type        = bool
+  description = "Enable managed rule for Linux"
+  default     = false
+}
+
+variable "aws_waf_rule_unix" {
+  type        = bool
+  description = "Enable managed rule for Unix"
+  default     = false
+}
+
+variable "aws_waf_rule_admin_protection" {
+  type        = bool
+  description = "Enable managed rule for admin protection"
+  default     = false
+}
+
+variable "aws_waf_rule_user_arn" {
+  type        = string
+  description = "ARN of the user rule"
+  default     = ""
+}
+
 # AWS EFS
 
 ### This variable is hidden for the end user. Is built in deploy.sh based on the next 3 variables. 

operations/deployment/terraform/aws/bitovi_main.tf

@@ -101,7 +101,7 @@ module "aws_route53" {
 
 module "aws_elb" {
   source = "../modules/aws/elb"
-  count  = var.aws_ec2_instance_create && var.aws_elb_create ? 1 : 0 
+  count  = var.aws_ec2_instance_create && var.aws_elb_create ? 1 : 0
   # ELB Values
   aws_elb_security_group_name        = var.aws_elb_security_group_name
   aws_elb_app_port                   = var.aws_elb_app_port
@@ -530,6 +530,37 @@ module "aws_route53_ecs" {
   }
 }
 
+module "aws_waf_ecs" {
+  source = "../modules/aws/waf"
+  count  = var.aws_waf_enable && var.aws_ecs_enable ? 1 : 0
+  aws_waf_enable             = var.aws_waf_enable
+  aws_waf_logging_enable     = var.aws_waf_logging_enable
+  aws_waf_log_retention_days = var.aws_waf_log_retention_days
+  aws_resource_identifier    = var.aws_resource_identifier
+  # Rules
+  aws_waf_rule_rate_limit               = var.aws_waf_rule_rate_limit
+  aws_waf_rule_managed_rules            = var.aws_waf_rule_managed_rules
+  aws_waf_rule_managed_bad_inputs       = var.aws_waf_rule_managed_bad_inputs
+  aws_waf_rule_ip_reputation            = var.aws_waf_rule_ip_reputation
+  aws_waf_rule_anonymous_ip             = var.aws_waf_rule_anonymous_ip
+  aws_waf_rule_bot_control              = var.aws_waf_rule_bot_control
+  aws_waf_rule_geo_block_countries      = var.aws_waf_rule_geo_block_countries
+  aws_waf_rule_geo_allow_only_countries = var.aws_waf_rule_geo_allow_only_countries
+  aws_waf_rule_user_arn                 = var.aws_waf_rule_user_arn
+  aws_waf_rule_sqli                     = var.aws_waf_rule_sqli
+  aws_waf_rule_linux                    = var.aws_waf_rule_linux
+  aws_waf_rule_unix                     = var.aws_waf_rule_unix
+  aws_waf_rule_admin_protection         = var.aws_waf_rule_admin_protection
+  # Incoming
+  aws_lb_resource_arn = module.aws_ecs[0].load_balancer_arn
+  # Others
+  depends_on = [ module.aws_ecs ]
+  providers = {
+    aws = aws.waf
+  }
+}
+
+
 module "aws_ecr" {
   source = "../modules/aws/ecr"
   count  = var.aws_ecr_repo_create ? 1 : 0
@@ -649,6 +680,7 @@ locals {
   ecr_tags      = merge(local.default_tags,jsondecode(var.aws_ecr_additional_tags))
   db_proxy_tags = merge(local.default_tags,jsondecode(var.aws_db_proxy_additional_tags))
   redis_tags    = merge(local.default_tags,jsondecode(var.aws_redis_additional_tags))
+  waf_tags      = merge(local.default_tags,jsondecode(var.aws_waf_additional_tags))
 
   eks_vpc_tags = {
     // This is needed for k8s to use VPC resources

operations/deployment/terraform/modules/aws/ecs/aws_ecs_networking.tf

@@ -231,6 +231,10 @@ output "load_balancer_zone_id" {
   value = aws_alb.ecs_lb.zone_id
 }
 
+output "load_balancer_arn" {
+  value = aws_alb.ecs_lb.arn
+}
+
 output "ecs_sg_id" {
   value = aws_security_group.ecs_sg.id
 }

operations/deployment/terraform/modules/aws/elb/aws_elb.tf

@@ -14,6 +14,9 @@ resource "aws_s3_bucket_lifecycle_configuration" "lb_access_logs_lifecycle" {
   rule {
     id = "ExpirationRule"
     status = "Enabled"
+    filter {
+      prefix = ""
+    }
     expiration {
       days = tonumber(var.aws_elb_access_log_expire)
     }