Skip to content

Commit c33f3e5

Browse files
committed
feat: testing the waf
1 parent 2a45f8c commit c33f3e5

9 files changed

+361
-0
lines changed

infra/.gitignore

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
2+
**/.terraform/*
3+
*.tfstate
4+
*.tfstate.*
5+
crash.log
6+
crash.*.log
7+
*.tfvars
8+
*.tfvars.json
9+
override.tf
10+
override.tf.json
11+
*_override.tf
12+
*_override.tf.json
13+
.terraform.tfstate.lock.info
14+
.terraformrc
15+
terraform.rc

infra/.terraform.lock.hcl

Lines changed: 69 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

infra/aws.tf

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
resource "aws_route53_record" "ngwaf_cname" {
2+
zone_id = var.route53_zone_id
3+
name = var.route53_record_name
4+
type = "CNAME"
5+
ttl = var.route53_record_ttl
6+
records = ["dualstack.python.map.fastly.net"]
7+
}

infra/fastly.tf

Lines changed: 107 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,107 @@
1+
# Fastly VCL Service
2+
resource "fastly_service_vcl" "frontend-vcl-service" {
3+
name = "NGWAF Testing"
4+
5+
domain {
6+
name = var.USER_VCL_SERVICE_DOMAIN_NAME
7+
comment = "NGWAF testing"
8+
}
9+
10+
backend {
11+
address = var.USER_VCL_SERVICE_BACKEND_HOSTNAME
12+
name = "vcl_service_origin_1"
13+
port = 443
14+
use_ssl = true
15+
ssl_cert_hostname = var.USER_VCL_SERVICE_BACKEND_HOSTNAME
16+
ssl_sni_hostname = var.USER_VCL_SERVICE_BACKEND_HOSTNAME
17+
override_host = var.USER_VCL_SERVICE_BACKEND_HOSTNAME
18+
}
19+
20+
# NGWAF Dynamic Snippets
21+
dynamicsnippet {
22+
name = "ngwaf_config_init"
23+
type = "init"
24+
priority = 0
25+
}
26+
27+
dynamicsnippet {
28+
name = "ngwaf_config_miss"
29+
type = "miss"
30+
priority = 9000
31+
}
32+
33+
dynamicsnippet {
34+
name = "ngwaf_config_pass"
35+
type = "pass"
36+
priority = 9000
37+
}
38+
39+
dynamicsnippet {
40+
name = "ngwaf_config_deliver"
41+
type = "deliver"
42+
priority = 9000
43+
}
44+
45+
dictionary {
46+
name = var.Edge_Security_dictionary
47+
}
48+
49+
lifecycle {
50+
ignore_changes = [product_enablement]
51+
}
52+
53+
force_destroy = true
54+
}
55+
56+
# Fastly Service Dictionary Items
57+
resource "fastly_service_dictionary_items" "edge_security_dictionary_items" {
58+
for_each = {
59+
for d in fastly_service_vcl.frontend-vcl-service.dictionary : d.name => d if d.name == var.Edge_Security_dictionary
60+
}
61+
service_id = fastly_service_vcl.frontend-vcl-service.id
62+
dictionary_id = each.value.dictionary_id
63+
items = {
64+
Enabled: "100"
65+
}
66+
}
67+
68+
# Fastly Service Dynamic Snippet Contents
69+
resource "fastly_service_dynamic_snippet_content" "ngwaf_config_init" {
70+
for_each = {
71+
for d in fastly_service_vcl.frontend-vcl-service.dynamicsnippet : d.name => d if d.name == "ngwaf_config_init"
72+
}
73+
service_id = fastly_service_vcl.frontend-vcl-service.id
74+
snippet_id = each.value.snippet_id
75+
content = "### Fastly managed ngwaf_config_init"
76+
manage_snippets = false
77+
}
78+
79+
resource "fastly_service_dynamic_snippet_content" "ngwaf_config_miss" {
80+
for_each = {
81+
for d in fastly_service_vcl.frontend-vcl-service.dynamicsnippet : d.name => d if d.name == "ngwaf_config_miss"
82+
}
83+
service_id = fastly_service_vcl.frontend-vcl-service.id
84+
snippet_id = each.value.snippet_id
85+
content = "### Fastly managed ngwaf_config_miss"
86+
manage_snippets = false
87+
}
88+
89+
resource "fastly_service_dynamic_snippet_content" "ngwaf_config_pass" {
90+
for_each = {
91+
for d in fastly_service_vcl.frontend-vcl-service.dynamicsnippet : d.name => d if d.name == "ngwaf_config_pass"
92+
}
93+
service_id = fastly_service_vcl.frontend-vcl-service.id
94+
snippet_id = each.value.snippet_id
95+
content = "### Fastly managed ngwaf_config_pass"
96+
manage_snippets = false
97+
}
98+
99+
resource "fastly_service_dynamic_snippet_content" "ngwaf_config_deliver" {
100+
for_each = {
101+
for d in fastly_service_vcl.frontend-vcl-service.dynamicsnippet : d.name => d if d.name == "ngwaf_config_deliver"
102+
}
103+
service_id = fastly_service_vcl.frontend-vcl-service.id
104+
snippet_id = each.value.snippet_id
105+
content = "### Fastly managed ngwaf_config_deliver"
106+
manage_snippets = false
107+
}

infra/main.tf

Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,34 @@
1+
terraform {
2+
required_providers {
3+
fastly = {
4+
source = "fastly/fastly"
5+
version = ">= 3.0.4"
6+
}
7+
sigsci = {
8+
source = "signalsciences/sigsci"
9+
version = ">= 1.2.18"
10+
}
11+
aws = {
12+
source = "hashicorp/aws"
13+
version = "~> 5.0"
14+
}
15+
}
16+
}
17+
18+
# Provider configurations
19+
provider "fastly" {
20+
api_key = var.FASTLY_API_KEY
21+
}
22+
23+
provider "aws" {
24+
region = "us-east-2"
25+
access_key = var.AWS_ACCESS_KEY_ID
26+
secret_key = var.AWS_SECRET_ACCESS_KEY
27+
}
28+
29+
provider "sigsci" {
30+
corp = var.NGWAF_CORP
31+
email = var.NGWAF_EMAIL
32+
auth_token = var.NGWAF_TOKEN
33+
fastly_api_key = var.FASTLY_API_KEY
34+
}

infra/ngwaf.tf

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
# NGWAF Edge Deployment
2+
resource "sigsci_edge_deployment" "ngwaf_edge_site_service" {
3+
site_short_name = var.NGWAF_SITE
4+
}
5+
6+
resource "sigsci_edge_deployment_service" "ngwaf_edge_service_link" {
7+
site_short_name = var.NGWAF_SITE
8+
fastly_sid = fastly_service_vcl.frontend-vcl-service.id
9+
activate_version = true
10+
percent_enabled = 100
11+
depends_on = [
12+
sigsci_edge_deployment.ngwaf_edge_site_service,
13+
fastly_service_vcl.frontend-vcl-service,
14+
fastly_service_dictionary_items.edge_security_dictionary_items,
15+
fastly_service_dynamic_snippet_content.ngwaf_config_init,
16+
fastly_service_dynamic_snippet_content.ngwaf_config_miss,
17+
fastly_service_dynamic_snippet_content.ngwaf_config_pass,
18+
fastly_service_dynamic_snippet_content.ngwaf_config_deliver,
19+
]
20+
}
21+
22+
resource "sigsci_edge_deployment_service_backend" "ngwaf_edge_service_backend_sync" {
23+
site_short_name = var.NGWAF_SITE
24+
fastly_sid = fastly_service_vcl.frontend-vcl-service.id
25+
fastly_service_vcl_active_version = fastly_service_vcl.frontend-vcl-service.active_version
26+
depends_on = [
27+
sigsci_edge_deployment_service.ngwaf_edge_service_link,
28+
]
29+
}

infra/out.tf

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
output "testing-the_ngwaf" {
2+
value = <<tfmultiline
3+
#### Click the URL to go to the service ####
4+
https://cfg.fastly.com/${fastly_service_vcl.frontend-vcl-service.id}
5+
#### Send a test request with curl. ####
6+
curl -i "https://${var.USER_VCL_SERVICE_DOMAIN_NAME}/anything/whydopirates?likeurls=theargs" -d foo=bar
7+
#### Send an test as cmd exe request with curl. ####
8+
curl -i "https://${var.USER_VCL_SERVICE_DOMAIN_NAME}/anything/myattackreq?i=../../../../etc/passwd'" -d foo=bar
9+
#### Troubleshoot the logging configuration if necessary. ####
10+
curl https://api.fastly.com/service/${fastly_service_vcl.frontend-vcl-service.id}/logging_status -H fastly-key:$FASTLY_API_KEY
11+
tfmultiline
12+
description = "Output hints on what to do next."
13+
depends_on = [
14+
sigsci_edge_deployment_service.ngwaf_edge_service_link
15+
]
16+
}

infra/terraform.tfvars.example

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
AWS_ACCESS_KEY_ID = "NotARealKey"
2+
AWS_SECRET_ACCESS_KEY = "NotARealKey"
3+
4+
NGWAF_TOKEN = "NotARealKey"
5+
FASTLY_API_KEY = "NotARealKey"

infra/variables.tf

Lines changed: 79 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,79 @@
1+
# Fastly variables
2+
variable "FASTLY_API_KEY" {
3+
type = string
4+
description = "API key for the Fastly VCL edge configuration."
5+
}
6+
7+
# VCL Service variables
8+
variable "USER_VCL_SERVICE_DOMAIN_NAME" {
9+
type = string
10+
description = "Frontend domain for your service."
11+
default = "ngwaftest.psf.io"
12+
}
13+
14+
variable "USER_VCL_SERVICE_BACKEND_HOSTNAME" {
15+
type = string
16+
description = "Hostname used for backend."
17+
default = "test-ngwaf.psf.io"
18+
}
19+
20+
variable "Edge_Security_dictionary" {
21+
type = string
22+
default = "Edge_Security"
23+
}
24+
25+
# NGWAF variables
26+
variable "NGWAF_CORP" {
27+
type = string
28+
description = "Corp name for NGWAF"
29+
default = "python"
30+
}
31+
32+
variable "NGWAF_SITE" {
33+
type = string
34+
description = "Site SHORT name for NGWAF"
35+
default = "test"
36+
}
37+
38+
variable "NGWAF_EMAIL" {
39+
type = string
40+
description = "Email address associated with the token for the NGWAF API."
41+
default = "jacob.coffee@pyfound.org"
42+
}
43+
44+
variable "NGWAF_TOKEN" {
45+
type = string
46+
description = "Secret token for the NGWAF API."
47+
sensitive = true
48+
}
49+
50+
# AWS variables
51+
variable "AWS_ACCESS_KEY_ID" {
52+
type = string
53+
description = "Access key for the AWS account."
54+
sensitive = true
55+
}
56+
57+
variable "AWS_SECRET_ACCESS_KEY" {
58+
type = string
59+
description = "Secret access key for the AWS account."
60+
sensitive = true
61+
}
62+
63+
variable "route53_zone_id" {
64+
type = string
65+
description = "The Route 53 hosted zone ID"
66+
default = "Z2LSM2W8Q3WN11" # psf.io
67+
}
68+
69+
variable "route53_record_name" {
70+
type = string
71+
description = "The name of the CNAME record"
72+
default = "ngwaftest.psf.io"
73+
}
74+
75+
variable "route53_record_ttl" {
76+
type = number
77+
description = "The TTL for the CNAME record"
78+
default = 60
79+
}

0 commit comments

Comments
 (0)