Merge pull request #280 from komtaki/feature/add-aws-waf

chore: add cloud formation of waf

.cloudformation/waf.yml

@@ -0,0 +1,89 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: "Create webAcl"
+
+Parameters:
+  AppEnvironment:
+    Description: Type of app environment.
+    Type: String
+    Default: staging
+    AllowedValues:
+      - staging
+      - production
+
+Resources:
+# ------------------------------------------------------------#
+# AWS WAFv2
+# ------------------------------------------------------------#
+  WebAclCloudFront:
+    Type: AWS::WAFv2::WebACL
+    Properties:
+      DefaultAction:
+        Allow: {}
+      Description: WebACL for CloudFront
+      Name: !Sub ${AppEnvironment}-cfj-decidim-web-acl
+      Rules:
+        - Name: !Sub ${AppEnvironment}-AWSManagedRulesCommonRuleSet
+          Priority: 0
+          OverrideAction:
+            Count: {}
+          VisibilityConfig:
+            SampledRequestsEnabled: true
+            CloudWatchMetricsEnabled: true
+            MetricName: AWSManagedRulesCommonRuleSetMetric
+          Statement:
+            ManagedRuleGroupStatement:
+              VendorName: AWS
+              Name: AWSManagedRulesCommonRuleSet
+        - Name: !Sub ${AppEnvironment}-AWSManagedRulesKnownBadInputsRuleSet
+          Priority: 1
+          OverrideAction:
+            Count: {}
+          VisibilityConfig:
+            SampledRequestsEnabled: true
+            CloudWatchMetricsEnabled: true
+            MetricName: AWSManagedRulesKnownBadInputsRuleSetMetric
+          Statement:
+            ManagedRuleGroupStatement:
+              VendorName: AWS
+              Name: AWSManagedRulesKnownBadInputsRuleSet
+        - Name: !Sub ${AppEnvironment}-AWSManagedRulesAmazonIpReputationList
+          Priority: 2
+          OverrideAction:
+            Count: {}
+          VisibilityConfig:
+            SampledRequestsEnabled: true
+            CloudWatchMetricsEnabled: true
+            MetricName: AWSManagedRulesAmazonIpReputationListMetric
+          Statement:
+            ManagedRuleGroupStatement:
+              VendorName: AWS
+              Name: AWSManagedRulesAmazonIpReputationList
+        - Name: !Sub ${AppEnvironment}-AWSManagedRulesLinuxRuleSet
+          Priority: 3
+          OverrideAction:
+            Count: {}
+          VisibilityConfig:
+            SampledRequestsEnabled: true
+            CloudWatchMetricsEnabled: true
+            MetricName: AWSManagedRulesLinuxRuleSetMetric
+          Statement:
+            ManagedRuleGroupStatement:
+              VendorName: AWS
+              Name: AWSManagedRulesLinuxRuleSet
+        - Name: !Sub ${AppEnvironment}-AWSManagedRulesSQLiRuleSet
+          Priority: 4
+          OverrideAction:
+            Count: {}
+          VisibilityConfig:
+            SampledRequestsEnabled: true
+            CloudWatchMetricsEnabled: true
+            MetricName: AWSManagedRulesSQLiRuleSetMetric
+          Statement:
+            ManagedRuleGroupStatement:
+              VendorName: AWS
+              Name: AWSManagedRulesSQLiRuleSet
+      Scope: CLOUDFRONT
+      VisibilityConfig:
+        SampledRequestsEnabled: true
+        CloudWatchMetricsEnabled: true
+        MetricName: !Sub ${AppEnvironment}-cfj-decidim-web-acl

docs/INFRA.md

@@ -48,6 +48,19 @@ https://github.com/awsdocs/elastic-beanstalk-samples/blob/main/cfn-templates/vpc
 
 - staging-decidim-app-cloud-front
 
+## WAF
+
+Cloud frontに合わせてus-east-1にあります。
+
+### Template file
+
+[.cloudformation/waf.yml](/.cloudformation/waf.yml)
+
+### Stack Name
+
+- staging-decidim-waf
+- production-decidim-waf
+
 ## ECR
 
 staging用と本番は同じリポジトリです。Dockerイメージのタグで区別します。