A-Team Security — Infrastructure & Security Agent Engineer v1.1
This commit is contained in:
120
terraform/waf.tf
Normal file
120
terraform/waf.tf
Normal file
@@ -0,0 +1,120 @@
|
||||
# -----------------------------------------------------------------------------
|
||||
# WAF Policy
|
||||
# -----------------------------------------------------------------------------
|
||||
resource "oci_waf_web_app_firewall_policy" "main" {
|
||||
compartment_id = var.compartment_ocid
|
||||
display_name = "cisagent-waf-policy"
|
||||
freeform_tags = var.freeform_tags
|
||||
|
||||
# --- Actions ---
|
||||
actions {
|
||||
name = "checkAction"
|
||||
type = "CHECK"
|
||||
}
|
||||
|
||||
actions {
|
||||
name = "allowAction"
|
||||
type = "ALLOW"
|
||||
}
|
||||
|
||||
actions {
|
||||
name = "blockAction"
|
||||
type = "RETURN_HTTP_RESPONSE"
|
||||
code = 401
|
||||
|
||||
headers {
|
||||
name = "Content-Type"
|
||||
value = "application/json"
|
||||
}
|
||||
|
||||
body {
|
||||
type = "STATIC_TEXT"
|
||||
text = "{\"error\": \"Request blocked by WAF\"}"
|
||||
}
|
||||
}
|
||||
|
||||
# --- Request Protection ---
|
||||
request_protection {
|
||||
|
||||
# XSS Protection
|
||||
rules {
|
||||
name = "xss-protection"
|
||||
type = "PROTECTION"
|
||||
action_name = "blockAction"
|
||||
is_body_inspection_enabled = true
|
||||
|
||||
protection_capabilities {
|
||||
key = "941110"
|
||||
version = 1
|
||||
}
|
||||
|
||||
protection_capabilities {
|
||||
key = "941100"
|
||||
version = 1
|
||||
}
|
||||
}
|
||||
|
||||
# SQL Injection Protection
|
||||
rules {
|
||||
name = "sqli-protection"
|
||||
type = "PROTECTION"
|
||||
action_name = "blockAction"
|
||||
is_body_inspection_enabled = true
|
||||
|
||||
protection_capabilities {
|
||||
key = "942100"
|
||||
version = 1
|
||||
}
|
||||
|
||||
protection_capabilities {
|
||||
key = "942110"
|
||||
version = 1
|
||||
}
|
||||
}
|
||||
|
||||
# Path Traversal Protection
|
||||
rules {
|
||||
name = "path-traversal-protection"
|
||||
type = "PROTECTION"
|
||||
action_name = "blockAction"
|
||||
is_body_inspection_enabled = true
|
||||
|
||||
protection_capabilities {
|
||||
key = "930100"
|
||||
version = 1
|
||||
}
|
||||
|
||||
protection_capabilities {
|
||||
key = "930110"
|
||||
version = 1
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
# --- Rate Limiting ---
|
||||
request_rate_limiting {
|
||||
rules {
|
||||
name = "rate-limit-300-per-min"
|
||||
type = "RATE_LIMITING"
|
||||
action_name = "blockAction"
|
||||
|
||||
configurations {
|
||||
period_in_seconds = 60
|
||||
requests_limit = 300
|
||||
action_duration_in_seconds = 60
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
# -----------------------------------------------------------------------------
|
||||
# WAF Firewall (attached to Load Balancer)
|
||||
# -----------------------------------------------------------------------------
|
||||
resource "oci_waf_web_app_firewall" "main" {
|
||||
compartment_id = var.compartment_ocid
|
||||
display_name = "cisagent-waf"
|
||||
backend_type = "LOAD_BALANCER"
|
||||
load_balancer_id = oci_load_balancer_load_balancer.main.id
|
||||
web_app_firewall_policy_id = oci_waf_web_app_firewall_policy.main.id
|
||||
freeform_tags = var.freeform_tags
|
||||
}
|
||||
Reference in New Issue
Block a user