feat: OCI deployment — Terraform VM + OKE stacks, OCIR, K8s manifests
- terraform-vm/: ARM VM (A1.Flex Free Tier), Docker Compose, Block Volume, LB+WAF+SSL - terraform-oke/: OKE cluster (3 nodes Intel), NodePort, LB+WAF+SSL - k8s/: namespace, deployments, services, PVC, secrets, configmap - Dockerfile.frontend: self-contained nginx+dist image - push-images.sh: multi-arch build (amd64+arm64) + push to OCIR - dns.tf: conditional OCI DNS Zone + A record (when domain available) - Both stacks 100% independent, no shared modules - .gitignore: terraform state, .terraform/, *.tfvars
This commit is contained in:
114
deploy/terraform-oke/waf.tf
Normal file
114
deploy/terraform-oke/waf.tf
Normal file
@@ -0,0 +1,114 @@
|
||||
# -----------------------------------------------------------------------------
|
||||
# OCI CIS Agent — OKE Deployment Stack
|
||||
# WAF: Web Application Firewall Policy + Association
|
||||
# -----------------------------------------------------------------------------
|
||||
|
||||
resource "oci_waf_web_app_firewall_policy" "main" {
|
||||
compartment_id = var.compartment_ocid
|
||||
display_name = "cisagent-oke-waf-policy"
|
||||
|
||||
# --- OWASP Protection Rules ---
|
||||
actions {
|
||||
name = "block"
|
||||
type = "RETURN_HTTP_RESPONSE"
|
||||
code = 403
|
||||
body {
|
||||
type = "STATIC_TEXT"
|
||||
text = "Blocked by WAF"
|
||||
}
|
||||
}
|
||||
|
||||
actions {
|
||||
name = "allow"
|
||||
type = "ALLOW"
|
||||
}
|
||||
|
||||
# --- Request Protection: XSS ---
|
||||
request_protection {
|
||||
rules {
|
||||
name = "xss-protection"
|
||||
type = "PROTECTION"
|
||||
action_name = "block"
|
||||
is_body_inspection_enabled = true
|
||||
|
||||
protection_capabilities {
|
||||
key = "941110"
|
||||
version = 1
|
||||
}
|
||||
protection_capabilities {
|
||||
key = "941100"
|
||||
version = 1
|
||||
}
|
||||
protection_capabilities {
|
||||
key = "941160"
|
||||
version = 1
|
||||
}
|
||||
}
|
||||
|
||||
# --- Request Protection: SQL Injection ---
|
||||
rules {
|
||||
name = "sqli-protection"
|
||||
type = "PROTECTION"
|
||||
action_name = "block"
|
||||
is_body_inspection_enabled = true
|
||||
|
||||
protection_capabilities {
|
||||
key = "942110"
|
||||
version = 1
|
||||
}
|
||||
protection_capabilities {
|
||||
key = "942120"
|
||||
version = 1
|
||||
}
|
||||
protection_capabilities {
|
||||
key = "942130"
|
||||
version = 1
|
||||
}
|
||||
}
|
||||
|
||||
# --- Request Protection: Path Traversal ---
|
||||
rules {
|
||||
name = "path-traversal-protection"
|
||||
type = "PROTECTION"
|
||||
action_name = "block"
|
||||
is_body_inspection_enabled = true
|
||||
|
||||
protection_capabilities {
|
||||
key = "930100"
|
||||
version = 1
|
||||
}
|
||||
protection_capabilities {
|
||||
key = "930110"
|
||||
version = 1
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
# --- Rate Limiting: 300 requests/minute ---
|
||||
request_rate_limiting {
|
||||
rules {
|
||||
name = "rate-limit-300-per-minute"
|
||||
type = "RATE_LIMITING"
|
||||
action_name = "block"
|
||||
|
||||
configurations {
|
||||
period_in_seconds = 60
|
||||
requests_limit = 300
|
||||
action_duration_in_seconds = 60
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
freeform_tags = var.freeform_tags
|
||||
}
|
||||
|
||||
# --- Associate WAF with Load Balancer ---
|
||||
|
||||
resource "oci_waf_web_app_firewall" "main" {
|
||||
compartment_id = var.compartment_ocid
|
||||
display_name = "cisagent-oke-waf"
|
||||
backend_type = "LOAD_BALANCER"
|
||||
load_balancer_id = oci_load_balancer_load_balancer.main.id
|
||||
web_app_firewall_policy_id = oci_waf_web_app_firewall_policy.main.id
|
||||
freeform_tags = var.freeform_tags
|
||||
}
|
||||
Reference in New Issue
Block a user