Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add wafv2 permissions #136

Merged
merged 20 commits into from
Mar 17, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
1 change: 1 addition & 0 deletions aws/policy/compute.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -175,6 +175,7 @@ Statement:
- elasticloadbalancing:ModifyLoadBalancerAttributes
- elasticloadbalancing:RegisterTargets
- elasticloadbalancing:SetSecurityGroups
- elasticloadbalancing:SetWebACL
- elasticfilesystem:DescribeFileSystems
- elasticfilesystem:DescribeMountTargets
- elasticfilesystem:DescribeMountTargetSecurityGroups
Expand Down
37 changes: 37 additions & 0 deletions aws/policy/security-services.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,43 @@ Statement:
Resource:
- 'arn:aws:iam::{{ aws_account_id }}:role/ansible_lambda_role'

- Sid: AllowRegionalRestrictedResourceActionsWhichIncurFees
Effect: Allow
Resource:
- 'arn:aws:wafv2:{{ aws_region }}:{{ aws_account_id }}:*'
Action:
- wafv2:ListRuleGroups
- wafv2:ListWebACLs
- wafv2:AssociateWebACL
- wafv2:DeleteRuleGroup
- wafv2:CreateRuleGroup
- wafv2:PutFirewallManagerRuleGroups
- wafv2:GetWebACLForResource
- wafv2:GetLoggingConfiguration
- wafv2:DeleteWebACL
- wafv2:GetRateBasedStatementManagedKeys
- wafv2:ListLoggingConfigurations
- wafv2:GetIPSet
- wafv2:CreateWebACL
- wafv2:ListIPSets
- wafv2:GetWebACL
- wafv2:GetRuleGroup
- wafv2:CreateIPSet
- wafv2:ListAvailableManagedRuleGroups
- wafv2:DeleteIPSet
- wafv2:DescribeManagedRuleGroup
- wafv2:CheckCapacity
- wafv2:ListResourcesForWebACL
- wafv2:DeleteLoggingConfiguration
- wafv2:PutLoggingConfiguration
- wafv2:DisassociateWebACL
- wafv2:UpdateWebACL
- wafv2:UpdateRuleGroup
- wafv2:DeleteFirewallManagerRuleGroups
- wafv2:DisassociateFirewallManager
- wafv2:UpdateIPSet
markuman marked this conversation as resolved.
Show resolved Hide resolved
- wafv2:TagResource

- Sid: AllowRegionalUnrestrictedResourceActionsWhichIncurNoFees
Effect: Allow
Action:
Expand Down
76 changes: 76 additions & 0 deletions aws/terminator/security_services.py
Original file line number Diff line number Diff line change
Expand Up @@ -265,6 +265,82 @@ def terminate(self):
self.client.delete_regex_pattern_set(RegexPatternSetId=self.id, ChangeToken=self.change_token)


class WafV2(DbTerminator):
@property
def id(self):
return self.instance['Id']

@property
def name(self):
return self.instance['Name']

@property
def lock_token(self):
return self.instance['LockToken']

@property
def scope(self):
return self.instance['Scope']

@abc.abstractmethod
def terminate(self):
"""Terminate or delete the AWS resource."""


class RegionalWafV2IpSet(WafV2):
@staticmethod
def create(credentials):
return DbTerminator._create(credentials, RegionalWafV2IpSet, 'wafv2', lambda client: client.list_ip_sets(Scope='REGIONAL')['IPSets'])

def terminate(self):
self.client.delete_ip_set(Id=self.id, Name=self.name, LockToken=self.lock_token, Scope='REGIONAL')


class CloudfrontWafV2IpSet(WafV2):
@staticmethod
def create(credentials):
return DbTerminator._create(credentials, CloudfrontWafV2IpSet, 'wafv2', lambda client: client.list_ip_sets(Scope='CLOUDFRONT')['IPSets'])

def terminate(self):
self.client.delete_ip_set(Id=self.id, Name=self.name, LockToken=self.lock_token, Scope='CLOUDFRONT')


class RegionalWafV2RuleGroup(WafV2):
@staticmethod
def create(credentials):
return DbTerminator._create(credentials, RegionalWafV2RuleGroup, 'wafv2', lambda client: client.list_rule_groups(Scope='REGIONAL')['RuleGroups'])

def terminate(self):
self.client.delete_rule_group(Id=self.id, Name=self.name, LockToken=self.lock_token, Scope='REGIONAL')


class CloudfrontWafV2RuleGroup(WafV2):
@staticmethod
def create(credentials):
return DbTerminator._create(credentials, CloudfrontWafV2RuleGroup, 'wafv2', lambda client: client.list_rule_groups(Scope='CLOUDFRONT')['RuleGroups'])

def terminate(self):
self.client.delete_rule_group(Id=self.id, Name=self.name, LockToken=self.lock_token, Scope='CLOUDFRONT')


class RegionalWafV2WebAcl(WafV2):
@staticmethod
def create(credentials):
return DbTerminator._create(credentials, RegionalWafV2WebAcl, 'wafv2', lambda client: client.list_web_acls(Scope='REGIONAL')['WebACLs'])

def terminate(self):
self.client.delete_web_acl(Id=self.id, Name=self.name, LockToken=self.lock_token, Scope='REGIONAL')


class CloudfrontWafV2WebAcl(WafV2):
@staticmethod
def create(credentials):
return DbTerminator._create(credentials, CloudfrontWafV2WebAcl, 'wafv2', lambda client: client.list_web_acls(Scope='CLOUDFRONT')['WebACLs'])

def terminate(self):
self.client.delete_web_acl(Id=self.id, Name=self.name, LockToken=self.lock_token, Scope='CLOUDFRONT')


class InspectorAssessmentTemplate(DbTerminator):
@staticmethod
def create(credentials):
Expand Down