Files
A-Team-Security-Infra-Agent…/deploy/terraform-vm/waf.tf
nogueiraguh 5efde6fcf4 feat: OCI deployment — Terraform VM + OKE stacks, OCIR, K8s manifests
- terraform-vm/: ARM VM (A1.Flex Free Tier), Docker Compose, Block Volume, LB+WAF+SSL
- terraform-oke/: OKE cluster (3 nodes Intel), NodePort, LB+WAF+SSL
- k8s/: namespace, deployments, services, PVC, secrets, configmap
- Dockerfile.frontend: self-contained nginx+dist image
- push-images.sh: multi-arch build (amd64+arm64) + push to OCIR
- dns.tf: conditional OCI DNS Zone + A record (when domain available)
- Both stacks 100% independent, no shared modules
- .gitignore: terraform state, .terraform/, *.tfvars
2026-04-02 13:19:58 -03:00

121 lines
2.9 KiB
HCL

# -----------------------------------------------------------------------------
# WAF Policy
# -----------------------------------------------------------------------------
resource "oci_waf_web_app_firewall_policy" "main" {
compartment_id = var.compartment_ocid
display_name = "cisagent-waf-policy"
freeform_tags = var.freeform_tags
# --- Actions ---
actions {
name = "checkAction"
type = "CHECK"
}
actions {
name = "allowAction"
type = "ALLOW"
}
actions {
name = "blockAction"
type = "RETURN_HTTP_RESPONSE"
code = 401
headers {
name = "Content-Type"
value = "application/json"
}
body {
type = "STATIC_TEXT"
text = "{\"error\": \"Request blocked by WAF\"}"
}
}
# --- Request Protection ---
request_protection {
# XSS Protection
rules {
name = "xss-protection"
type = "PROTECTION"
action_name = "blockAction"
is_body_inspection_enabled = true
protection_capabilities {
key = "941110"
version = 1
}
protection_capabilities {
key = "941100"
version = 1
}
}
# SQL Injection Protection
rules {
name = "sqli-protection"
type = "PROTECTION"
action_name = "blockAction"
is_body_inspection_enabled = true
protection_capabilities {
key = "942100"
version = 1
}
protection_capabilities {
key = "942110"
version = 1
}
}
# Path Traversal Protection
rules {
name = "path-traversal-protection"
type = "PROTECTION"
action_name = "blockAction"
is_body_inspection_enabled = true
protection_capabilities {
key = "930100"
version = 1
}
protection_capabilities {
key = "930110"
version = 1
}
}
}
# --- Rate Limiting ---
request_rate_limiting {
rules {
name = "rate-limit-300-per-min"
type = "RATE_LIMITING"
action_name = "blockAction"
configurations {
period_in_seconds = 60
requests_limit = 300
action_duration_in_seconds = 60
}
}
}
}
# -----------------------------------------------------------------------------
# WAF Firewall (attached to Load Balancer)
# -----------------------------------------------------------------------------
resource "oci_waf_web_app_firewall" "main" {
compartment_id = var.compartment_ocid
display_name = "cisagent-waf"
backend_type = "LOAD_BALANCER"
load_balancer_id = oci_load_balancer_load_balancer.main.id
web_app_firewall_policy_id = oci_waf_web_app_firewall_policy.main.id
freeform_tags = var.freeform_tags
}