- terraform-vm/: ARM VM (A1.Flex Free Tier), Docker Compose, Block Volume, LB+WAF+SSL - terraform-oke/: OKE cluster (3 nodes Intel), NodePort, LB+WAF+SSL - k8s/: namespace, deployments, services, PVC, secrets, configmap - Dockerfile.frontend: self-contained nginx+dist image - push-images.sh: multi-arch build (amd64+arm64) + push to OCIR - dns.tf: conditional OCI DNS Zone + A record (when domain available) - Both stacks 100% independent, no shared modules - .gitignore: terraform state, .terraform/, *.tfvars
115 lines
2.8 KiB
HCL
115 lines
2.8 KiB
HCL
# -----------------------------------------------------------------------------
|
|
# OCI CIS Agent — OKE Deployment Stack
|
|
# WAF: Web Application Firewall Policy + Association
|
|
# -----------------------------------------------------------------------------
|
|
|
|
resource "oci_waf_web_app_firewall_policy" "main" {
|
|
compartment_id = var.compartment_ocid
|
|
display_name = "cisagent-oke-waf-policy"
|
|
|
|
# --- OWASP Protection Rules ---
|
|
actions {
|
|
name = "block"
|
|
type = "RETURN_HTTP_RESPONSE"
|
|
code = 403
|
|
body {
|
|
type = "STATIC_TEXT"
|
|
text = "Blocked by WAF"
|
|
}
|
|
}
|
|
|
|
actions {
|
|
name = "allow"
|
|
type = "ALLOW"
|
|
}
|
|
|
|
# --- Request Protection: XSS ---
|
|
request_protection {
|
|
rules {
|
|
name = "xss-protection"
|
|
type = "PROTECTION"
|
|
action_name = "block"
|
|
is_body_inspection_enabled = true
|
|
|
|
protection_capabilities {
|
|
key = "941110"
|
|
version = 1
|
|
}
|
|
protection_capabilities {
|
|
key = "941100"
|
|
version = 1
|
|
}
|
|
protection_capabilities {
|
|
key = "941160"
|
|
version = 1
|
|
}
|
|
}
|
|
|
|
# --- Request Protection: SQL Injection ---
|
|
rules {
|
|
name = "sqli-protection"
|
|
type = "PROTECTION"
|
|
action_name = "block"
|
|
is_body_inspection_enabled = true
|
|
|
|
protection_capabilities {
|
|
key = "942110"
|
|
version = 1
|
|
}
|
|
protection_capabilities {
|
|
key = "942120"
|
|
version = 1
|
|
}
|
|
protection_capabilities {
|
|
key = "942130"
|
|
version = 1
|
|
}
|
|
}
|
|
|
|
# --- Request Protection: Path Traversal ---
|
|
rules {
|
|
name = "path-traversal-protection"
|
|
type = "PROTECTION"
|
|
action_name = "block"
|
|
is_body_inspection_enabled = true
|
|
|
|
protection_capabilities {
|
|
key = "930100"
|
|
version = 1
|
|
}
|
|
protection_capabilities {
|
|
key = "930110"
|
|
version = 1
|
|
}
|
|
}
|
|
}
|
|
|
|
# --- Rate Limiting: 300 requests/minute ---
|
|
request_rate_limiting {
|
|
rules {
|
|
name = "rate-limit-300-per-minute"
|
|
type = "RATE_LIMITING"
|
|
action_name = "block"
|
|
|
|
configurations {
|
|
period_in_seconds = 60
|
|
requests_limit = 300
|
|
action_duration_in_seconds = 60
|
|
}
|
|
}
|
|
}
|
|
|
|
freeform_tags = var.freeform_tags
|
|
}
|
|
|
|
# --- Associate WAF with Load Balancer ---
|
|
|
|
resource "oci_waf_web_app_firewall" "main" {
|
|
compartment_id = var.compartment_ocid
|
|
display_name = "cisagent-oke-waf"
|
|
backend_type = "LOAD_BALANCER"
|
|
load_balancer_id = oci_load_balancer_load_balancer.main.id
|
|
web_app_firewall_policy_id = oci_waf_web_app_firewall_policy.main.id
|
|
freeform_tags = var.freeform_tags
|
|
}
|