Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: exclude EC2MetaDataSSRF_Body WAF ACL rule #759

Merged
merged 1 commit into from
Aug 1, 2024
Merged

fix: exclude EC2MetaDataSSRF_Body WAF ACL rule #759

merged 1 commit into from
Aug 1, 2024

Conversation

patheard
Copy link
Member

@patheard patheard commented Aug 1, 2024
edited
Loading

Summary

Update the IdP's WAf ACL to exclude the EC2MetaDataSSRF_Body rule as this is blocking the creation of new IdP apps.

Related

@patheard
fix: exclude EC2MetaDataSSRF_Body WAF ACL rule
8b26a5a 
Update the IdP's WAf ACL to exclude the EC2MetaDataSSRF_Body rule as this
is blocking the creation of new IdP apps.
@github-actions GitHub Actions
Copy link

github-actions bot commented Aug 1, 2024

⚠ Terrform update available

Terraform: 1.9.3 (using 1.9.2)
Terragrunt: 0.64.5 (using 0.63.2)

@github-actions GitHub Actions
Copy link

github-actions bot commented Aug 1, 2024

Staging: idp

✅   Terraform Init: success
✅   Terraform Validate: success
✅   Terraform Format: success
✅   Terraform Plan: success
✅   Conftest: success

Plan: 0 to add, 1 to change, 0 to destroy
Show summary
CHANGE NAME
update aws_wafv2_web_acl.idp
Show plan 
Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # aws_wafv2_web_acl.idp will be updated in-place
  ~ resource "aws_wafv2_web_acl" "idp" {
        id                          = "bab5476e-86d5-4718-aa69-55b379a8673d"
        name                        = "idp"
        tags                        = {
            "CostCentre" = "forms-platform-staging"
            "Terraform"  = "true"
        }
        # (8 unchanged attributes hidden)

      - rule {
          - name     = "AWSManagedRulesAmazonIpReputationList" -> null
          - priority = 10 -> null

          - override_action {
              - none {}
            }

          - statement {
              - managed_rule_group_statement {
                  - name        = "AWSManagedRulesAmazonIpReputationList" -> null
                  - vendor_name = "AWS" -> null
                    # (1 unchanged attribute hidden)
                }
            }

          - visibility_config {
              - cloudwatch_metrics_enabled = true -> null
              - metric_name                = "AWSManagedRulesAmazonIpReputationList" -> null
              - sampled_requests_enabled   = true -> null
            }
        }
      - rule {
          - name     = "AWSManagedRulesCommonRuleSet" -> null
          - priority = 50 -> null

          - override_action {
              - none {}
            }

          - statement {
              - managed_rule_group_statement {
                  - name        = "AWSManagedRulesCommonRuleSet" -> null
                  - vendor_name = "AWS" -> null
                    # (1 unchanged attribute hidden)
                }
            }

          - visibility_config {
              - cloudwatch_metrics_enabled = true -> null
              - metric_name                = "AWSManagedRulesCommonRuleSet" -> null
              - sampled_requests_enabled   = true -> null
            }
        }
      - rule {
          - name     = "AWSManagedRulesKnownBadInputsRuleSet" -> null
          - priority = 30 -> null

          - override_action {
              - none {}
            }

          - statement {
              - managed_rule_group_statement {
                  - name        = "AWSManagedRulesKnownBadInputsRuleSet" -> null
                  - vendor_name = "AWS" -> null
                    # (1 unchanged attribute hidden)
                }
            }

          - visibility_config {
              - cloudwatch_metrics_enabled = true -> null
              - metric_name                = "AWSManagedRulesKnownBadInputsRuleSet" -> null
              - sampled_requests_enabled   = true -> null
            }
        }
      - rule {
          - name     = "AWSManagedRulesLinuxRuleSet" -> null
          - priority = 40 -> null

          - override_action {
              - none {}
            }

          - statement {
              - managed_rule_group_statement {
                  - name        = "AWSManagedRulesLinuxRuleSet" -> null
                  - vendor_name = "AWS" -> null
                    # (1 unchanged attribute hidden)
                }
            }

          - visibility_config {
              - cloudwatch_metrics_enabled = true -> null
              - metric_name                = "AWSManagedRulesLinuxRuleSet" -> null
              - sampled_requests_enabled   = true -> null
            }
        }
      + rule {
          + name     = "AWSManagedRulesAmazonIpReputationList"
          + priority = 10

          + override_action {
              + none {}
            }

          + statement {
              + managed_rule_group_statement {
                  + name        = "AWSManagedRulesAmazonIpReputationList"
                  + vendor_name = "AWS"
                }
            }

          + visibility_config {
              + cloudwatch_metrics_enabled = true
              + metric_name                = "AWSManagedRulesAmazonIpReputationList"
              + sampled_requests_enabled   = true
            }
        }
      + rule {
          + name     = "AWSManagedRulesCommonRuleSet"
          + priority = 50

          + override_action {
              + none {}
            }

          + statement {
              + managed_rule_group_statement {
                  + name        = "AWSManagedRulesCommonRuleSet"
                  + vendor_name = "AWS"
                    # (1 unchanged attribute hidden)

                  + rule_action_override {
                      + name = "EC2MetaDataSSRF_Body"

                      + action_to_use {
                          + count {
                            }
                        }
                    }
                }
            }

          + visibility_config {
              + cloudwatch_metrics_enabled = true
              + metric_name                = "AWSManagedRulesCommonRuleSet"
              + sampled_requests_enabled   = true
            }
        }
      + rule {
          + name     = "AWSManagedRulesKnownBadInputsRuleSet"
          + priority = 30

          + override_action {
              + none {}
            }

          + statement {
              + managed_rule_group_statement {
                  + name        = "AWSManagedRulesKnownBadInputsRuleSet"
                  + vendor_name = "AWS"
                }
            }

          + visibility_config {
              + cloudwatch_metrics_enabled = true
              + metric_name                = "AWSManagedRulesKnownBadInputsRuleSet"
              + sampled_requests_enabled   = true
            }
        }
      + rule {
          + name     = "AWSManagedRulesLinuxRuleSet"
          + priority = 40

          + override_action {
              + none {}
            }

          + statement {
              + managed_rule_group_statement {
                  + name        = "AWSManagedRulesLinuxRuleSet"
                  + vendor_name = "AWS"
                }
            }

          + visibility_config {
              + cloudwatch_metrics_enabled = true
              + metric_name                = "AWSManagedRulesLinuxRuleSet"
              + sampled_requests_enabled   = true
            }
        }

        # (5 unchanged blocks hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: plan.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "plan.tfplan"
Show Conftest results 
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.idp_send_email"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_user.idp_send_email"]
WARN - plan.json - main - Missing Common Tags: ["aws_shield_protection.idp"]

22 tests, 19 passed, 3 warnings, 0 failures, 0 exceptions

@patheard patheard self-assigned this Aug 1, 2024
@patheard patheard merged commit 4dceba4 into develop Aug 1, 2024
11 checks passed
@patheard patheard deleted the fix/idp-waf-EC2MetaDataSSRF_Body branch August 1, 2024 18:05
wmoussa-gc
wmoussa-gc reviewed Aug 1, 2024
View reviewed changes
aws/idp/waf.tf
@@ -1,4 +1,7 @@
# TODO: add AWS Common Ruleset once service has been stood up
locals {
excluded_common_rules = ["EC2MetaDataSSRF_Body"]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we add an explanation why we are excluding?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good idea - I'll get a new PR in with a comment to explain

@sre-read-write sre-read-write bot mentioned this pull request Aug 1, 2024
Merged
@patheard patheard mentioned this pull request Aug 1, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wmoussa-gc wmoussa-gc wmoussa-gc left review comments

@craigzour craigzour craigzour approved these changes

Assignees

@patheard patheard

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@patheard @craigzour @wmoussa-gc