feat: testing the waf

JacobCoffee · JacobCoffee · commit c33f3e550cdb · 2024-08-23T12:18:06.000-05:00
diff --git a/infra/.gitignore b/infra/.gitignore
@@ -0,0 +1,15 @@
+
+**/.terraform/*
+*.tfstate
+*.tfstate.*
+crash.log
+crash.*.log
+*.tfvars
+*.tfvars.json
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+.terraform.tfstate.lock.info
+.terraformrc
+terraform.rc
diff --git a/infra/.terraform.lock.hcl b/infra/.terraform.lock.hcl
diff --git a/infra/aws.tf b/infra/aws.tf
@@ -0,0 +1,7 @@
+resource "aws_route53_record" "ngwaf_cname" {
+  zone_id = var.route53_zone_id
+  name    = var.route53_record_name
+  type    = "CNAME"
+  ttl     = var.route53_record_ttl
+  records = ["dualstack.python.map.fastly.net"]
+}
diff --git a/infra/fastly.tf b/infra/fastly.tf
@@ -0,0 +1,107 @@
+# Fastly VCL Service
+resource "fastly_service_vcl" "frontend-vcl-service" {
+  name = "NGWAF Testing"
+
+  domain {
+    name    = var.USER_VCL_SERVICE_DOMAIN_NAME
+    comment = "NGWAF testing"
+  }
+
+  backend {
+    address           = var.USER_VCL_SERVICE_BACKEND_HOSTNAME
+    name              = "vcl_service_origin_1"
+    port              = 443
+    use_ssl           = true
+    ssl_cert_hostname = var.USER_VCL_SERVICE_BACKEND_HOSTNAME
+    ssl_sni_hostname  = var.USER_VCL_SERVICE_BACKEND_HOSTNAME
+    override_host     = var.USER_VCL_SERVICE_BACKEND_HOSTNAME
+  }
+
+  # NGWAF Dynamic Snippets
+  dynamicsnippet {
+    name     = "ngwaf_config_init"
+    type     = "init"
+    priority = 0
+  }
+
+  dynamicsnippet {
+    name     = "ngwaf_config_miss"
+    type     = "miss"
+    priority = 9000
+  }
+
+  dynamicsnippet {
+    name     = "ngwaf_config_pass"
+    type     = "pass"
+    priority = 9000
+  }
+
+  dynamicsnippet {
+    name     = "ngwaf_config_deliver"
+    type     = "deliver"
+    priority = 9000
+  }
+
+  dictionary {
+    name = var.Edge_Security_dictionary
+  }
+
+  lifecycle {
+    ignore_changes = [product_enablement]
+  }
+
+  force_destroy = true
+}
+
+# Fastly Service Dictionary Items
+resource "fastly_service_dictionary_items" "edge_security_dictionary_items" {
+  for_each = {
+    for d in fastly_service_vcl.frontend-vcl-service.dictionary : d.name => d if d.name == var.Edge_Security_dictionary
+  }
+  service_id    = fastly_service_vcl.frontend-vcl-service.id
+  dictionary_id = each.value.dictionary_id
+  items = {
+    Enabled: "100"
+  }
+}
+
+# Fastly Service Dynamic Snippet Contents
+resource "fastly_service_dynamic_snippet_content" "ngwaf_config_init" {
+  for_each = {
+    for d in fastly_service_vcl.frontend-vcl-service.dynamicsnippet : d.name => d if d.name == "ngwaf_config_init"
+  }
+  service_id      = fastly_service_vcl.frontend-vcl-service.id
+  snippet_id      = each.value.snippet_id
+  content         = "### Fastly managed ngwaf_config_init"
+  manage_snippets = false
+}
+
+resource "fastly_service_dynamic_snippet_content" "ngwaf_config_miss" {
+  for_each = {
+    for d in fastly_service_vcl.frontend-vcl-service.dynamicsnippet : d.name => d if d.name == "ngwaf_config_miss"
+  }
+  service_id      = fastly_service_vcl.frontend-vcl-service.id
+  snippet_id      = each.value.snippet_id
+  content         = "### Fastly managed ngwaf_config_miss"
+  manage_snippets = false
+}
+
+resource "fastly_service_dynamic_snippet_content" "ngwaf_config_pass" {
+  for_each = {
+    for d in fastly_service_vcl.frontend-vcl-service.dynamicsnippet : d.name => d if d.name == "ngwaf_config_pass"
+  }
+  service_id      = fastly_service_vcl.frontend-vcl-service.id
+  snippet_id      = each.value.snippet_id
+  content         = "### Fastly managed ngwaf_config_pass"
+  manage_snippets = false
+}
+
+resource "fastly_service_dynamic_snippet_content" "ngwaf_config_deliver" {
+  for_each = {
+    for d in fastly_service_vcl.frontend-vcl-service.dynamicsnippet : d.name => d if d.name == "ngwaf_config_deliver"
+  }
+  service_id      = fastly_service_vcl.frontend-vcl-service.id
+  snippet_id      = each.value.snippet_id
+  content         = "### Fastly managed ngwaf_config_deliver"
+  manage_snippets = false
+}
diff --git a/infra/main.tf b/infra/main.tf
@@ -0,0 +1,34 @@
+terraform {
+  required_providers {
+    fastly = {
+      source  = "fastly/fastly"
+      version = ">= 3.0.4"
+    }
+    sigsci = {
+      source  = "signalsciences/sigsci"
+      version = ">= 1.2.18"
+    }
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+}
+
+# Provider configurations
+provider "fastly" {
+  api_key = var.FASTLY_API_KEY
+}
+
+provider "aws" {
+  region     = "us-east-2"
+  access_key = var.AWS_ACCESS_KEY_ID
+  secret_key = var.AWS_SECRET_ACCESS_KEY
+}
+
+provider "sigsci" {
+  corp         = var.NGWAF_CORP
+  email        = var.NGWAF_EMAIL
+  auth_token   = var.NGWAF_TOKEN
+  fastly_api_key = var.FASTLY_API_KEY
+}
diff --git a/infra/ngwaf.tf b/infra/ngwaf.tf
@@ -0,0 +1,29 @@
+# NGWAF Edge Deployment
+resource "sigsci_edge_deployment" "ngwaf_edge_site_service" {
+  site_short_name = var.NGWAF_SITE
+}
+
+resource "sigsci_edge_deployment_service" "ngwaf_edge_service_link" {
+  site_short_name  = var.NGWAF_SITE
+  fastly_sid       = fastly_service_vcl.frontend-vcl-service.id
+  activate_version = true
+  percent_enabled  = 100
+  depends_on = [
+    sigsci_edge_deployment.ngwaf_edge_site_service,
+    fastly_service_vcl.frontend-vcl-service,
+    fastly_service_dictionary_items.edge_security_dictionary_items,
+    fastly_service_dynamic_snippet_content.ngwaf_config_init,
+    fastly_service_dynamic_snippet_content.ngwaf_config_miss,
+    fastly_service_dynamic_snippet_content.ngwaf_config_pass,
+    fastly_service_dynamic_snippet_content.ngwaf_config_deliver,
+  ]
+}
+
+resource "sigsci_edge_deployment_service_backend" "ngwaf_edge_service_backend_sync" {
+  site_short_name                   = var.NGWAF_SITE
+  fastly_sid                        = fastly_service_vcl.frontend-vcl-service.id
+  fastly_service_vcl_active_version = fastly_service_vcl.frontend-vcl-service.active_version
+  depends_on = [
+    sigsci_edge_deployment_service.ngwaf_edge_service_link,
+  ]
+}
diff --git a/infra/out.tf b/infra/out.tf
@@ -0,0 +1,16 @@
+output "testing-the_ngwaf" {
+  value = <<tfmultiline
+  #### Click the URL to go to the service ####
+  https://cfg.fastly.com/${fastly_service_vcl.frontend-vcl-service.id}
+  #### Send a test request with curl. ####
+  curl -i "https://${var.USER_VCL_SERVICE_DOMAIN_NAME}/anything/whydopirates?likeurls=theargs" -d foo=bar
+  #### Send an test as cmd exe request with curl. ####
+  curl -i "https://${var.USER_VCL_SERVICE_DOMAIN_NAME}/anything/myattackreq?i=../../../../etc/passwd'" -d foo=bar
+  #### Troubleshoot the logging configuration if necessary. ####
+  curl https://api.fastly.com/service/${fastly_service_vcl.frontend-vcl-service.id}/logging_status -H fastly-key:$FASTLY_API_KEY
+  tfmultiline
+  description = "Output hints on what to do next."
+  depends_on = [
+    sigsci_edge_deployment_service.ngwaf_edge_service_link
+  ]
+}
diff --git a/infra/terraform.tfvars.example b/infra/terraform.tfvars.example
@@ -0,0 +1,5 @@
+AWS_ACCESS_KEY_ID = "NotARealKey"
+AWS_SECRET_ACCESS_KEY = "NotARealKey"
+
+NGWAF_TOKEN = "NotARealKey"
+FASTLY_API_KEY = "NotARealKey"
diff --git a/infra/variables.tf b/infra/variables.tf
@@ -0,0 +1,79 @@
+# Fastly variables
+variable "FASTLY_API_KEY" {
+  type        = string
+  description = "API key for the Fastly VCL edge configuration."
+}
+
+# VCL Service variables
+variable "USER_VCL_SERVICE_DOMAIN_NAME" {
+  type        = string
+  description = "Frontend domain for your service."
+  default     = "ngwaftest.psf.io"
+}
+
+variable "USER_VCL_SERVICE_BACKEND_HOSTNAME" {
+  type        = string
+  description = "Hostname used for backend."
+  default     = "test-ngwaf.psf.io"
+}
+
+variable "Edge_Security_dictionary" {
+  type    = string
+  default = "Edge_Security"
+}
+
+# NGWAF variables
+variable "NGWAF_CORP" {
+  type        = string
+  description = "Corp name for NGWAF"
+  default     = "python"
+}
+
+variable "NGWAF_SITE" {
+  type        = string
+  description = "Site SHORT name for NGWAF"
+  default     = "test"
+}
+
+variable "NGWAF_EMAIL" {
+  type        = string
+  description = "Email address associated with the token for the NGWAF API."
+  default     = "jacob.coffee@pyfound.org"
+}
+
+variable "NGWAF_TOKEN" {
+  type        = string
+  description = "Secret token for the NGWAF API."
+  sensitive   = true
+}
+
+# AWS variables
+variable "AWS_ACCESS_KEY_ID" {
+  type        = string
+  description = "Access key for the AWS account."
+  sensitive   = true
+}
+
+variable "AWS_SECRET_ACCESS_KEY" {
+  type        = string
+  description = "Secret access key for the AWS account."
+  sensitive   = true
+}
+
+variable "route53_zone_id" {
+  type        = string
+  description = "The Route 53 hosted zone ID"
+  default     = "Z2LSM2W8Q3WN11" # psf.io
+}
+
+variable "route53_record_name" {
+  type        = string
+  description = "The name of the CNAME record"
+  default     = "ngwaftest.psf.io"
+}
+
+variable "route53_record_ttl" {
+  type        = number
+  description = "The TTL for the CNAME record"
+  default     = 60
+}
