Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add wafv2 permissions #136

Merged
merged 20 commits into from
Mar 17, 2021
Merged

add wafv2 permissions #136

Show file tree
Hide file tree
Changes from 13 commits
Commits
Show all changes
20 commits
Select commit Hold shift + click to select a range
eb514e0
add wafv2 permissions
markuman Mar 1, 2021
4e166e8
reduce wafv2 permissions
markuman Mar 2, 2021
84f4168
add wafv2 to AllowRegionalRestrictedResourceActionsWhichIncurFees sid
markuman Mar 2, 2021
ed6fcfe
add draft WafV2IpSetRegionl terminator class
markuman Mar 11, 2021
d66fc66
fix undefined variable
markuman Mar 11, 2021
7eb5d45
Update aws/terminator/security_services.py
markuman Mar 11, 2021
00c2bd5
Update aws/terminator/security_services.py
markuman Mar 11, 2021
1633878
add WafV2RuleGroup and kept scope information
markuman Mar 11, 2021
b75d661
add WafV2 class
markuman Mar 11, 2021
eb923c8
fix linting
markuman Mar 11, 2021
603c4d2
add abstract methods and fix undefined variables
markuman Mar 11, 2021
89eace2
remove abstract create method
markuman Mar 11, 2021
efe14bf
add WafV2WebAcl class
markuman Mar 11, 2021
22dd03f
add resource and missing action
markuman Mar 12, 2021
9e4eea3
add alb setwebacl action
markuman Mar 12, 2021
5c78df5
fix linting
markuman Mar 12, 2021
e676e12
Merge branch 'master' into wafv2
markuman Mar 15, 2021
d76f1fa
fix update dict
markuman Mar 15, 2021
1b34090
Merge branch 'wafv2' of github.com:markuman/aws-terminator into wafv2
markuman Mar 15, 2021
40b43d7
fix errors
markuman Mar 17, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
34 changes: 34 additions & 0 deletions aws/policy/security-services.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,40 @@ Statement:
Resource:
- 'arn:aws:iam::{{ aws_account_id }}:role/ansible_lambda_role'

- Sid: AllowRegionalRestrictedResourceActionsWhichIncurFees
Effect: Allow
Action:
- wafv2:ListRuleGroups
- wafv2:ListWebACLs
- wafv2:AssociateWebACL
- wafv2:DeleteRuleGroup
- wafv2:CreateRuleGroup
- wafv2:PutFirewallManagerRuleGroups
- wafv2:GetWebACLForResource
- wafv2:GetLoggingConfiguration
- wafv2:DeleteWebACL
- wafv2:GetRateBasedStatementManagedKeys
- wafv2:ListLoggingConfigurations
- wafv2:GetIPSet
- wafv2:CreateWebACL
- wafv2:ListIPSets
- wafv2:GetWebACL
- wafv2:GetRuleGroup
- wafv2:CreateIPSet
- wafv2:ListAvailableManagedRuleGroups
- wafv2:DeleteIPSet
- wafv2:DescribeManagedRuleGroup
- wafv2:CheckCapacity
- wafv2:ListResourcesForWebACL
- wafv2:DeleteLoggingConfiguration
- wafv2:PutLoggingConfiguration
- wafv2:DisassociateWebACL
- wafv2:UpdateWebACL
- wafv2:UpdateRuleGroup
- wafv2:DeleteFirewallManagerRuleGroups
- wafv2:DisassociateFirewallManager
- wafv2:UpdateIPSet
markuman marked this conversation as resolved.
Show resolved Hide resolved

- Sid: AllowRegionalUnrestrictedResourceActionsWhichIncurNoFees
Effect: Allow
Action:
Expand Down
71 changes: 71 additions & 0 deletions aws/terminator/security_services.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -265,6 +265,77 @@ def terminate(self):
self.client.delete_regex_pattern_set(RegexPatternSetId=self.id, ChangeToken=self.change_token)


class WafV2(DbTerminator):
@property
def id(self):
return self.instance['Id']

@property
def name(self):
return self.instance['Name']

@property
def lock_token(self):
return self.instance['LockToken']

@property
def scope(self):
return self.instance['Scope']

@abc.abstractmethod
def terminate(self):
"""Terminate or delete the AWS resource."""


class WafV2IpSet(WafV2):
@staticmethod
def create(credentials):
regional = DbTerminator._create(credentials, WafV2IpSet, 'wafv2', lambda client: client.list_ip_sets(Scope='REGIONAL')['IPSets'])
for item in regional:
item.update({"Scope": "REGIONAL"})

cloudfront = DbTerminator._create(credentials, WafV2IpSet, 'wafv2', lambda client: client.list_ip_sets(Scope='CLOUDFRONT')['IPSets'])
for item in cloudfront:
item.update({"Scope": "CLOUDFRONT"})

return regional + cloudfront

def terminate(self):
self.client.delete_ip_set(Id=self.id, Name=self.name, LockToken=self.lock_token, Scope=self.scope)


class WafV2RuleGroup(WafV2):
@staticmethod
def create(credentials):
regional = DbTerminator._create(credentials, WafV2RuleGroup, 'wafv2', lambda client: client.list_rule_groups(Scope='REGIONAL')['RuleGroups'])
for item in regional:
item.update({"Scope": "REGIONAL"})

cloudfront = DbTerminator._create(credentials, WafV2RuleGroup, 'wafv2', lambda client: client.list_rule_groups(Scope='CLOUDFRONT')['RuleGroups'])
for item in cloudfront:
item.update({"Scope": "CLOUDFRONT"})
return regional + cloudfront

def terminate(self):
self.client.delete_rule_group(Id=self.id, Name=self.name, LockToken=self.lock_token, Scope=self.scope)


class WafV2WebAcl(WafV2):
@staticmethod
def create(credentials):
regional = DbTerminator._create(credentials, WafV2WebAcl, 'wafv2', lambda client: client.list_web_acls(Scope='REGIONAL')['WebACLs'])
for item in regional:
item.update({"Scope": "REGIONAL"})

cloudfront = DbTerminator._create(credentials, WafV2WebAcl, 'wafv2', lambda client: client.list_web_acls(Scope='CLOUDFRONT')['WebACLs'])
for item in cloudfront:
item.update({"Scope": "CLOUDFRONT"})
return regional + cloudfront

def terminate(self):
self.client.delete_web_acl(Id=self.id, Name=self.name, LockToken=self.lock_token, Scope=self.scope)


class InspectorAssessmentTemplate(DbTerminator):
@staticmethod
def create(credentials):
Expand Down