Merge pull request #136 from markuman/wafv2

add wafv2 permissions
mattclay · Mar 17, 2021 · 560bb60 · 560bb60
2 parents 68e80c3 + 40b43d7
commit 560bb60
Show file tree

Hide file tree

Showing 3 changed files with 114 additions and 0 deletions.
diff --git a/aws/policy/compute.yaml b/aws/policy/compute.yaml
@@ -175,6 +175,7 @@ Statement:
       - elasticloadbalancing:ModifyLoadBalancerAttributes
       - elasticloadbalancing:RegisterTargets
       - elasticloadbalancing:SetSecurityGroups
+      - elasticloadbalancing:SetWebACL
       - elasticfilesystem:DescribeFileSystems
       - elasticfilesystem:DescribeMountTargets
       - elasticfilesystem:DescribeMountTargetSecurityGroups

diff --git a/aws/policy/security-services.yaml b/aws/policy/security-services.yaml
@@ -27,6 +27,43 @@ Statement:
     Resource:
       - 'arn:aws:iam::{{ aws_account_id }}:role/ansible_lambda_role'
 
+  - Sid: AllowRegionalRestrictedResourceActionsWhichIncurFees
+    Effect: Allow
+    Resource:
+      - 'arn:aws:wafv2:{{ aws_region }}:{{ aws_account_id }}:*'
+    Action:
+      - wafv2:ListRuleGroups
+      - wafv2:ListWebACLs
+      - wafv2:AssociateWebACL
+      - wafv2:DeleteRuleGroup
+      - wafv2:CreateRuleGroup
+      - wafv2:PutFirewallManagerRuleGroups
+      - wafv2:GetWebACLForResource
+      - wafv2:GetLoggingConfiguration
+      - wafv2:DeleteWebACL
+      - wafv2:GetRateBasedStatementManagedKeys
+      - wafv2:ListLoggingConfigurations
+      - wafv2:GetIPSet
+      - wafv2:CreateWebACL
+      - wafv2:ListIPSets
+      - wafv2:GetWebACL
+      - wafv2:GetRuleGroup
+      - wafv2:CreateIPSet
+      - wafv2:ListAvailableManagedRuleGroups
+      - wafv2:DeleteIPSet
+      - wafv2:DescribeManagedRuleGroup
+      - wafv2:CheckCapacity
+      - wafv2:ListResourcesForWebACL
+      - wafv2:DeleteLoggingConfiguration
+      - wafv2:PutLoggingConfiguration
+      - wafv2:DisassociateWebACL
+      - wafv2:UpdateWebACL
+      - wafv2:UpdateRuleGroup
+      - wafv2:DeleteFirewallManagerRuleGroups
+      - wafv2:DisassociateFirewallManager
+      - wafv2:UpdateIPSet
+      - wafv2:TagResource
+
   - Sid: AllowRegionalUnrestrictedResourceActionsWhichIncurNoFees
     Effect: Allow
     Action:

diff --git a/aws/terminator/security_services.py b/aws/terminator/security_services.py
@@ -265,6 +265,82 @@ def terminate(self):
         self.client.delete_regex_pattern_set(RegexPatternSetId=self.id, ChangeToken=self.change_token)
 
 
+class WafV2(DbTerminator):
+    @property
+    def id(self):
+        return self.instance['Id']
+
+    @property
+    def name(self):
+        return self.instance['Name']
+
+    @property
+    def lock_token(self):
+        return self.instance['LockToken']
+
+    @property
+    def scope(self):
+        return self.instance['Scope']
+
+    @abc.abstractmethod
+    def terminate(self):
+        """Terminate or delete the AWS resource."""
+
+
+class RegionalWafV2IpSet(WafV2):
+    @staticmethod
+    def create(credentials):
+        return DbTerminator._create(credentials, RegionalWafV2IpSet, 'wafv2', lambda client: client.list_ip_sets(Scope='REGIONAL')['IPSets'])
+
+    def terminate(self):
+        self.client.delete_ip_set(Id=self.id, Name=self.name, LockToken=self.lock_token, Scope='REGIONAL')
+
+
+class CloudfrontWafV2IpSet(WafV2):
+    @staticmethod
+    def create(credentials):
+        return DbTerminator._create(credentials, CloudfrontWafV2IpSet, 'wafv2', lambda client: client.list_ip_sets(Scope='CLOUDFRONT')['IPSets'])
+
+    def terminate(self):
+        self.client.delete_ip_set(Id=self.id, Name=self.name, LockToken=self.lock_token, Scope='CLOUDFRONT')
+
+
+class RegionalWafV2RuleGroup(WafV2):
+    @staticmethod
+    def create(credentials):
+        return DbTerminator._create(credentials, RegionalWafV2RuleGroup, 'wafv2', lambda client: client.list_rule_groups(Scope='REGIONAL')['RuleGroups'])
+
+    def terminate(self):
+        self.client.delete_rule_group(Id=self.id, Name=self.name, LockToken=self.lock_token, Scope='REGIONAL')
+
+
+class CloudfrontWafV2RuleGroup(WafV2):
+    @staticmethod
+    def create(credentials):
+        return DbTerminator._create(credentials, CloudfrontWafV2RuleGroup, 'wafv2', lambda client: client.list_rule_groups(Scope='CLOUDFRONT')['RuleGroups'])
+
+    def terminate(self):
+        self.client.delete_rule_group(Id=self.id, Name=self.name, LockToken=self.lock_token, Scope='CLOUDFRONT')
+
+
+class RegionalWafV2WebAcl(WafV2):
+    @staticmethod
+    def create(credentials):
+        return DbTerminator._create(credentials, RegionalWafV2WebAcl, 'wafv2', lambda client: client.list_web_acls(Scope='REGIONAL')['WebACLs'])
+
+    def terminate(self):
+        self.client.delete_web_acl(Id=self.id, Name=self.name, LockToken=self.lock_token, Scope='REGIONAL')
+
+
+class CloudfrontWafV2WebAcl(WafV2):
+    @staticmethod
+    def create(credentials):
+        return DbTerminator._create(credentials, CloudfrontWafV2WebAcl, 'wafv2', lambda client: client.list_web_acls(Scope='CLOUDFRONT')['WebACLs'])
+
+    def terminate(self):
+        self.client.delete_web_acl(Id=self.id, Name=self.name, LockToken=self.lock_token, Scope='CLOUDFRONT')
+
+
 class InspectorAssessmentTemplate(DbTerminator):
     @staticmethod
     def create(credentials):