internet/community.general
3
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2026-05-06 13:22:48 +00:00
Code Issues Packages Projects Releases Wiki Activity

Aws waf region (#48953)

Browse Source 
* Add waiter for AWSRegional

* Add support for WAF Regional

* Add support for regional waf web acl

* Remove set_trace, pep formatting

* Add paginator for regional_waf

* Change name of param for waf_regional

This is more in line with how AWS refers to the service. Additional
 changes made to how client is called. Used ternary to reduce if
 statements

* Change parameter name to waf_regional

* Add support for removal waf regional condition

* Change parameter from cloudfront to waf_regional

* Added state: absent waf rule

* Remove set_trace

* Add integration tests for waf regional

* WIP: adding region parameter to tests

* Add support for waf facts module

* Add region to waf regional integration tests

* Update security policy for waf regional testing

* Add type to documentation for waf_regional param
This commit is contained in:
mjmayer
2019-05-16 17:36:14 -07:00
committed by Will Thames
parent 32620b7e00
commit c8e179fbf1
8 changed files with 758 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

629
test/integration/targets/aws_waf_web_acl/tasks/main.yml
View File

@@ -233,6 +233,257 @@
recreate_waf_regex_condition.condition.regex_match_tuples[0].regex_pattern_set_id !=
create_waf_regex_condition.condition.regex_match_tuples[0].regex_pattern_set_id
- name: create WAF Regional IP condition
aws_waf_condition:
name: "{{ resource_prefix }}_ip_condition"
filters:
- ip_address: "10.0.0.0/8"
type: ip
region: "{{ aws_region }}"
waf_regional: true
<<: *aws_connection_info
register: create_waf_regional_ip_condition
- name: add an IP address to WAF Regional condition
aws_waf_condition:
name: "{{ resource_prefix }}_ip_condition"
filters:
- ip_address: "10.0.0.0/8"
- ip_address: "192.168.0.0/24"
type: ip
region: "{{ aws_region }}"
waf_regional: true
<<: *aws_connection_info
register: add_ip_address_to_waf_regional_condition
- name: check expected WAF Regional filter length
assert:
that:
- add_ip_address_to_waf_regional_condition.condition.ip_set_descriptors|length == 2
- name: add an IP address to WAF Regional condition (rely on purge_filters defaulting to false)
aws_waf_condition:
name: "{{ resource_prefix }}_ip_condition"
filters:
- ip_address: "192.168.10.0/24"
type: ip
region: "{{ aws_region }}"
waf_regional: true
<<: *aws_connection_info
register: add_ip_address_to_waf_regional_condition_no_purge
- name: check WAF Regional filter length has increased
assert:
that:
- add_ip_address_to_waf_regional_condition_no_purge.condition.ip_set_descriptors|length == 3
- add_ip_address_to_waf_regional_condition_no_purge.changed
- name: add an IP address to WAF Regional condition (set purge_filters)
aws_waf_condition:
name: "{{ resource_prefix }}_ip_condition"
filters:
- ip_address: "192.168.20.0/24"
purge_filters: yes
type: ip
region: "{{ aws_region }}"
waf_regional: true
<<: *aws_connection_info
register: add_ip_address_to_waf_regional_condition_purge
- name: check WAF Regional filter length has reduced
assert:
that:
- add_ip_address_to_waf_regional_condition_purge.condition.ip_set_descriptors|length == 1
- add_ip_address_to_waf_regional_condition_purge.changed
- name: create WAF Regional byte condition
aws_waf_condition:
name: "{{ resource_prefix }}_byte_condition"
filters:
- field_to_match: header
position: STARTS_WITH
target_string: Hello
header: Content-type
type: byte
region: "{{ aws_region }}"
waf_regional: true
<<: *aws_connection_info
register: create_waf_regional_byte_condition
- name: recreate WAF Regional byte condition
aws_waf_condition:
name: "{{ resource_prefix }}_byte_condition"
filters:
- field_to_match: header
position: STARTS_WITH
target_string: Hello
header: Content-type
type: byte
region: "{{ aws_region }}"
waf_regional: true
<<: *aws_connection_info
register: recreate_waf_regional_byte_condition
- name: assert that no change was made
assert:
that:
- not recreate_waf_regional_byte_condition.changed
- name: create WAF Regional geo condition
aws_waf_condition:
name: "{{ resource_prefix }}_geo_condition"
filters:
- country: US
- country: AU
- country: AT
type: geo
region: "{{ aws_region }}"
waf_regional: true
<<: *aws_connection_info
register: create_waf_regional_geo_condition
- name: create WAF Regional size condition
aws_waf_condition:
name: "{{ resource_prefix }}_size_condition"
filters:
- field_to_match: query_string
size: 300
comparison: GT
type: size
region: "{{ aws_region }}"
waf_regional: true
<<: *aws_connection_info
register: create_waf_regional_size_condition
- name: create WAF Regional sql condition
aws_waf_condition:
name: "{{ resource_prefix }}_sql_condition"
filters:
- field_to_match: query_string
transformation: url_decode
type: sql
region: "{{ aws_region }}"
waf_regional: true
<<: *aws_connection_info
register: create_waf_regional_sql_condition
- name: create WAF Regional xss condition
aws_waf_condition:
name: "{{ resource_prefix }}_xss_condition"
filters:
- field_to_match: query_string
transformation: url_decode
type: xss
region: "{{ aws_region }}"
waf_regional: true
<<: *aws_connection_info
register: create_waf_regional_xss_condition
- name: create WAF Regional regex condition
aws_waf_condition:
name: "{{ resource_prefix }}_regex_condition"
filters:
- field_to_match: query_string
regex_pattern:
name: greetings
regex_strings:
- '[hH]ello'
- '^Hi there'
- '.*Good Day to You'
type: regex
region: "{{ aws_region }}"
waf_regional: true
<<: *aws_connection_info
register: create_waf_regional_regex_condition
- name: create a second WAF Regional regex condition with the same regex
aws_waf_condition:
name: "{{ resource_prefix }}_regex_condition_part_2"
filters:
- field_to_match: header
header: cookie
regex_pattern:
name: greetings
regex_strings:
- '[hH]ello'
- '^Hi there'
- '.*Good Day to You'
type: regex
region: "{{ aws_region }}"
waf_regional: true
<<: *aws_connection_info
register: create_second_waf_regional_regex_condition
- name: check that the pattern is shared
assert:
that:
- >
create_waf_regional_regex_condition.condition.regex_match_tuples[0].regex_pattern_set_id ==
create_second_waf_regional_regex_condition.condition.regex_match_tuples[0].regex_pattern_set_id
- create_second_waf_regional_regex_condition.changed
- name: delete first WAF Regional regex condition
aws_waf_condition:
name: "{{ resource_prefix }}_regex_condition"
filters:
- field_to_match: query_string
regex_pattern:
name: greetings
regex_strings:
- '[hH]ello'
- '^Hi there'
- '.*Good Day to You'
type: regex
state: absent
region: "{{ aws_region }}"
waf_regional: true
<<: *aws_connection_info
register: delete_waf_regional_regex_condition
- name: delete second WAF Regional regex condition
aws_waf_condition:
name: "{{ resource_prefix }}_regex_condition_part_2"
filters:
- field_to_match: header
header: cookie
regex_pattern:
name: greetings
regex_strings:
- '[hH]ello'
- '^Hi there'
- '.*Good Day to You'
type: regex
state: absent
region: "{{ aws_region }}"
waf_regional: true
<<: *aws_connection_info
register: delete_second_waf_regional_regex_condition
- name: create WAF Regional regex condition
aws_waf_condition:
name: "{{ resource_prefix }}_regex_condition"
filters:
- field_to_match: query_string
regex_pattern:
name: greetings
regex_strings:
- '[hH]ello'
- '^Hi there'
- '.*Good Day to You'
type: regex
region: "{{ aws_region }}"
waf_regional: true
<<: *aws_connection_info
register: recreate_waf_regional_regex_condition
- name: check that a new pattern is created (because the first pattern should have been deleted once unused)
assert:
that:
- >
recreate_waf_regional_regex_condition.condition.regex_match_tuples[0].regex_pattern_set_id !=
create_waf_regional_regex_condition.condition.regex_match_tuples[0].regex_pattern_set_id
##################################################
# aws_waf_rule tests
##################################################
@@ -345,6 +596,124 @@
- remove_in_use_condition.failed
- "'Condition {{ resource_prefix }}_size_condition is in use' in remove_in_use_condition.msg"
- name: create WAF Regional rule
aws_waf_rule:
name: "{{ resource_prefix }}_rule"
conditions:
- name: "{{ resource_prefix }}_regex_condition"
type: regex
negated: no
- name: "{{ resource_prefix }}_geo_condition"
type: geo
negated: no
- name: "{{ resource_prefix }}_byte_condition"
type: byte
negated: no
purge_conditions: yes
region: "{{ aws_region }}"
waf_regional: true
<<: *aws_connection_info
register: create_aws_waf_regional_rule
- name: check WAF Regional rule
assert:
that:
- create_aws_waf_regional_rule.changed
- create_aws_waf_regional_rule.rule.predicates|length == 3
- name: recreate WAF Regional rule
aws_waf_rule:
name: "{{ resource_prefix }}_rule"
conditions:
- name: "{{ resource_prefix }}_regex_condition"
type: regex
negated: no
- name: "{{ resource_prefix }}_geo_condition"
type: geo
negated: no
- name: "{{ resource_prefix }}_byte_condition"
type: byte
negated: no
region: "{{ aws_region }}"
waf_regional: true
<<: *aws_connection_info
register: create_aws_waf_regional_rule
- name: check WAF Regional rule did not change
assert:
that:
- not create_aws_waf_regional_rule.changed
- create_aws_waf_regional_rule.rule.predicates|length == 3
- name: add further WAF Regional rules relying on purge_conditions defaulting to false
aws_waf_rule:
name: "{{ resource_prefix }}_rule"
conditions:
- name: "{{ resource_prefix }}_ip_condition"
type: ip
negated: yes
- name: "{{ resource_prefix }}_sql_condition"
type: sql
negated: no
- name: "{{ resource_prefix }}_xss_condition"
type: xss
negated: no
region: "{{ aws_region }}"
waf_regional: true
<<: *aws_connection_info
register: add_conditions_to_aws_waf_regional_rule
- name: check WAF Regional rule added rules
assert:
that:
- add_conditions_to_aws_waf_regional_rule.changed
- add_conditions_to_aws_waf_regional_rule.rule.predicates|length == 6
- name: remove some rules through purging conditions
aws_waf_rule:
name: "{{ resource_prefix }}_rule"
conditions:
- name: "{{ resource_prefix }}_ip_condition"
type: ip
negated: yes
- name: "{{ resource_prefix }}_xss_condition"
type: xss
negated: no
- name: "{{ resource_prefix }}_byte_condition"
type: byte
negated: no
- name: "{{ resource_prefix }}_size_condition"
type: size
negated: no
purge_conditions: yes
region: "{{ aws_region }}"
waf_regional: true
<<: *aws_connection_info
register: add_and_remove_waf_regional_rule_conditions
- name: check WAF Regional rules were updated as expected
assert:
that:
- add_and_remove_waf_regional_rule_conditions.changed
- add_and_remove_waf_regional_rule_conditions.rule.predicates|length == 4
- name: attempt to remove an WAF Regional in use condition
aws_waf_condition:
name: "{{ resource_prefix }}_size_condition"
type: size
state: absent
region: "{{ aws_region }}"
waf_regional: true
<<: *aws_connection_info
ignore_errors: yes
register: remove_in_use_condition
- name: check failure was sensible
assert:
that:
- remove_in_use_condition.failed
- "'Condition {{ resource_prefix }}_size_condition is in use' in remove_in_use_condition.msg"
##################################################
# aws_waf_web_acl tests
##################################################
@@ -477,6 +846,156 @@
state: absent
<<: *aws_connection_info
- name: create WAF Regional web ACL
aws_waf_web_acl:
name: "{{ resource_prefix }}_web_acl"
rules:
- name: "{{ resource_prefix }}_rule"
priority: 1
action: block
default_action: block
purge_rules: yes
state: present
region: "{{ aws_region }}"
waf_regional: true
<<: *aws_connection_info
register: create_waf_regional_web_acl
- name: recreate WAF Regional web acl
aws_waf_web_acl:
name: "{{ resource_prefix }}_web_acl"
rules:
- name: "{{ resource_prefix }}_rule"
priority: 1
action: block
default_action: block
state: present
region: "{{ aws_region }}"
waf_regional: true
<<: *aws_connection_info
register: recreate_waf_regional_web_acl
- name: check WAF Regional web acl was not changed
assert:
that:
- not recreate_waf_regional_web_acl.changed
- recreate_waf_regional_web_acl.web_acl.rules|length == 1
- name: create a second WAF Regional rule
aws_waf_rule:
name: "{{ resource_prefix }}_rule_2"
conditions:
- name: "{{ resource_prefix }}_ip_condition"
type: ip
negated: yes
- name: "{{ resource_prefix }}_sql_condition"
type: sql
negated: no
- name: "{{ resource_prefix }}_xss_condition"
type: xss
negated: no
region: "{{ aws_region }}"
waf_regional: true
<<: *aws_connection_info
- name: add a new rule to the WAF Regional web acl
aws_waf_web_acl:
name: "{{ resource_prefix }}_web_acl"
rules:
- name: "{{ resource_prefix }}_rule_2"
priority: 2
action: allow
default_action: block
state: present
region: "{{ aws_region }}"
waf_regional: true
<<: *aws_connection_info
register: waf_regional_web_acl_add_rule
- name: check that rule was added to the WAF Regional web acl
assert:
that:
- waf_regional_web_acl_add_rule.changed
- waf_regional_web_acl_add_rule.web_acl.rules|length == 2
- name: use purge rules to remove the WAF Regional first rule
aws_waf_web_acl:
name: "{{ resource_prefix }}_web_acl"
rules:
- name: "{{ resource_prefix }}_rule_2"
priority: 2
action: allow
purge_rules: yes
default_action: block
state: present
region: "{{ aws_region }}"
waf_regional: true
<<: *aws_connection_info
register: waf_regional_web_acl_add_rule
- name: check that rule was removed from the WAF Regional web acl
assert:
that:
- waf_regional_web_acl_add_rule.changed
- waf_regional_web_acl_add_rule.web_acl.rules|length == 1
- name: swap two WAF Regional rules of same priority
aws_waf_web_acl:
name: "{{ resource_prefix }}_web_acl"
rules:
- name: "{{ resource_prefix }}_rule"
priority: 2
action: allow
purge_rules: yes
default_action: block
state: present
region: "{{ aws_region }}"
waf_regional: true
<<: *aws_connection_info
register: waf_regional_web_acl_swap_rule
- name: attempt to delete the WAF Regional inuse first rule
aws_waf_rule:
name: "{{ resource_prefix }}_rule"
state: absent
region: "{{ aws_region }}"
waf_regional: true
<<: *aws_connection_info
ignore_errors: yes
register: remove_waf_regional_inuse_rule
- name: check that removing WAF Regional in-use rule fails
assert:
that:
- remove_waf_regional_inuse_rule.failed
- name: delete the WAF Regional web acl
aws_waf_web_acl:
name: "{{ resource_prefix }}_web_acl"
state: absent
region: "{{ aws_region }}"
waf_regional: true
<<: *aws_connection_info
register: delete_waf_regional_web_acl
- name: check that WAF Regional web acl was deleted
assert:
that:
- delete_waf_regional_web_acl.changed
- not delete_waf_regional_web_acl.web_acl
- name: delete the no longer in use WAF Regional first rule
aws_waf_rule:
name: "{{ resource_prefix }}_rule"
state: absent
region: "{{ aws_region }}"
waf_regional: true
<<: *aws_connection_info
##################################################
# TEARDOWN
##################################################
always:
- debug:
msg: "****** TEARDOWN STARTS HERE ******"
@@ -568,3 +1087,113 @@
state: absent
<<: *aws_connection_info
ignore_errors: yes
- name: delete the WAF Regional web acl
aws_waf_web_acl:
name: "{{ resource_prefix }}_web_acl"
state: absent
purge_rules: yes
region: "{{ aws_region }}"
waf_regional: true
<<: *aws_connection_info
ignore_errors: yes
- name: remove second WAF Regional rule
aws_waf_rule:
name: "{{ resource_prefix }}_rule_2"
state: absent
purge_conditions: yes
region: "{{ aws_region }}"
waf_regional: true
<<: *aws_connection_info
ignore_errors: yes
- name: remove WAF Regional rule
aws_waf_rule:
name: "{{ resource_prefix }}_rule"
state: absent
purge_conditions: yes
region: "{{ aws_region }}"
waf_regional: true
<<: *aws_connection_info
ignore_errors: yes
- name: remove WAF Regional XSS condition
aws_waf_condition:
name: "{{ resource_prefix }}_xss_condition"
type: xss
state: absent
region: "{{ aws_region }}"
waf_regional: true
<<: *aws_connection_info
ignore_errors: yes
- name: remove WAF Regional SQL condition
aws_waf_condition:
name: "{{ resource_prefix }}_sql_condition"
type: sql
state: absent
region: "{{ aws_region }}"
waf_regional: true
<<: *aws_connection_info
ignore_errors: yes
- name: remove WAF Regional size condition
aws_waf_condition:
name: "{{ resource_prefix }}_size_condition"
type: size
state: absent
region: "{{ aws_region }}"
waf_regional: true
<<: *aws_connection_info
ignore_errors: yes
- name: remove WAF Regional geo condition
aws_waf_condition:
name: "{{ resource_prefix }}_geo_condition"
type: geo
state: absent
region: "{{ aws_region }}"
waf_regional: true
<<: *aws_connection_info
ignore_errors: yes
- name: remove WAF Regional byte condition
aws_waf_condition:
name: "{{ resource_prefix }}_byte_condition"
type: byte
state: absent
region: "{{ aws_region }}"
waf_regional: true
<<: *aws_connection_info
ignore_errors: yes
- name: remove WAF Regional ip address condition
aws_waf_condition:
name: "{{ resource_prefix }}_ip_condition"
type: ip
state: absent
region: "{{ aws_region }}"
waf_regional: true
<<: *aws_connection_info
ignore_errors: yes
- name: remove WAF Regional regex part 2 condition
aws_waf_condition:
name: "{{ resource_prefix }}_regex_condition_part_2"
type: regex
state: absent
region: "{{ aws_region }}"
waf_regional: true
<<: *aws_connection_info
ignore_errors: yes
- name: remove first WAF Regional regex condition
aws_waf_condition:
name: "{{ resource_prefix }}_regex_condition"
type: regex
state: absent
region: "{{ aws_region }}"
waf_regional: true
<<: *aws_connection_info
ignore_errors: yes