ansible/test/integration/targets/aws_waf_web_acl/tasks/main.yml

298 lines
8.4 KiB
YAML
Raw Normal View History

- block:
- name: set yaml anchor
set_fact:
aws_connection_info: &aws_connection_info
aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key }}"
security_token: "{{ security_token }}"
no_log: yes
- name: create WAF IP condition
aws_waf_condition:
name: "{{ resource_prefix }}_ip_condition"
filters:
- ip_address: "10.0.0.0/8"
type: ip
<<: *aws_connection_info
register: create_waf_ip_condition
- name: add an IP address to WAF condition
aws_waf_condition:
name: "{{ resource_prefix }}_ip_condition"
filters:
- ip_address: "10.0.0.0/8"
- ip_address: "192.168.0.0/24"
type: ip
<<: *aws_connection_info
register: add_ip_address_to_waf_condition
- name: check expected waf filter length
assert:
that:
- add_ip_address_to_waf_condition.condition.ip_set_descriptors|length == 2
- name: add an IP address to WAF condition (rely on purge_filters defaulting to false)
aws_waf_condition:
name: "{{ resource_prefix }}_ip_condition"
filters:
- ip_address: "192.168.10.0/24"
type: ip
<<: *aws_connection_info
register: add_ip_address_to_waf_condition_no_purge
- name: check waf filter length has increased
assert:
that:
- add_ip_address_to_waf_condition_no_purge.condition.ip_set_descriptors|length == 3
- add_ip_address_to_waf_condition_no_purge.changed
- name: add an IP address to WAF condition (set purge_filters)
aws_waf_condition:
name: "{{ resource_prefix }}_ip_condition"
filters:
- ip_address: "192.168.20.0/24"
purge_filters: yes
type: ip
<<: *aws_connection_info
register: add_ip_address_to_waf_condition_purge
- name: check waf filter length has reduced
assert:
that:
- add_ip_address_to_waf_condition_purge.condition.ip_set_descriptors|length == 1
- add_ip_address_to_waf_condition_purge.changed
- name: create WAF byte condition
aws_waf_condition:
name: "{{ resource_prefix }}_byte_condition"
filters:
- field_to_match: header
position: STARTS_WITH
target_string: Hello
header: Content-type
type: byte
<<: *aws_connection_info
register: create_waf_byte_condition
- name: recreate WAF byte condition
aws_waf_condition:
name: "{{ resource_prefix }}_byte_condition"
filters:
- field_to_match: header
position: STARTS_WITH
target_string: Hello
header: Content-type
type: byte
<<: *aws_connection_info
register: recreate_waf_byte_condition
- name: assert that no change was made
assert:
that:
- not recreate_waf_byte_condition.changed
- name: create WAF geo condition
aws_waf_condition:
name: "{{ resource_prefix }}_geo_condition"
filters:
- country: US
- country: AU
- country: AT
type: geo
<<: *aws_connection_info
register: create_waf_geo_condition
- name: create WAF size condition
aws_waf_condition:
name: "{{ resource_prefix }}_size_condition"
filters:
- field_to_match: query_string
size: 300
comparison: GT
type: size
<<: *aws_connection_info
register: create_waf_size_condition
- name: create WAF sql condition
aws_waf_condition:
name: "{{ resource_prefix }}_sql_condition"
filters:
- field_to_match: query_string
transformation: url_decode
type: sql
<<: *aws_connection_info
register: create_waf_sql_condition
- name: create WAF xss condition
aws_waf_condition:
name: "{{ resource_prefix }}_xss_condition"
filters:
- field_to_match: query_string
transformation: url_decode
type: xss
<<: *aws_connection_info
register: create_waf_xss_condition
- name: create WAF regex condition
aws_waf_condition:
name: "{{ resource_prefix }}_regex_condition"
filters:
- field_to_match: query_string
regex_pattern:
name: greetings
regex_strings:
- '[hH]ello'
- '^Hi there'
- '.*Good Day to You'
type: regex
<<: *aws_connection_info
register: create_waf_regex_condition
- name: create a second WAF regex condition with the same regex
aws_waf_condition:
name: "{{ resource_prefix }}_regex_condition_part_2"
filters:
- field_to_match: header
header: cookie
regex_pattern:
name: greetings
regex_strings:
- '[hH]ello'
- '^Hi there'
- '.*Good Day to You'
type: regex
<<: *aws_connection_info
register: create_second_waf_regex_condition
- name: check that the pattern is shared
assert:
that:
- >
create_waf_regex_condition.condition.regex_match_tuples[0].regex_pattern_set_id ==
create_second_waf_regex_condition.condition.regex_match_tuples[0].regex_pattern_set_id
- create_second_waf_regex_condition.changed
- name: delete first WAF regex condition
aws_waf_condition:
name: "{{ resource_prefix }}_regex_condition"
filters:
- field_to_match: query_string
regex_pattern:
name: greetings
regex_strings:
- '[hH]ello'
- '^Hi there'
- '.*Good Day to You'
type: regex
state: absent
<<: *aws_connection_info
register: delete_waf_regex_condition
- name: delete second WAF regex condition
aws_waf_condition:
name: "{{ resource_prefix }}_regex_condition_part_2"
filters:
- field_to_match: header
header: cookie
regex_pattern:
name: greetings
regex_strings:
- '[hH]ello'
- '^Hi there'
- '.*Good Day to You'
type: regex
state: absent
<<: *aws_connection_info
register: delete_second_waf_regex_condition
- name: create WAF regex condition
aws_waf_condition:
name: "{{ resource_prefix }}_regex_condition"
filters:
- field_to_match: query_string
regex_pattern:
name: greetings
regex_strings:
- '[hH]ello'
- '^Hi there'
- '.*Good Day to You'
type: regex
<<: *aws_connection_info
register: recreate_waf_regex_condition
- name: check that a new pattern is created (because the first pattern should have been deleted once unused)
assert:
that:
- >
recreate_waf_regex_condition.condition.regex_match_tuples[0].regex_pattern_set_id !=
create_waf_regex_condition.condition.regex_match_tuples[0].regex_pattern_set_id
always:
- debug:
msg: "****** TEARDOWN STARTS HERE ******"
- name: remove XSS condition
aws_waf_condition:
name: "{{ resource_prefix }}_xss_condition"
type: xss
state: absent
<<: *aws_connection_info
ignore_errors: yes
- name: remove SQL condition
aws_waf_condition:
name: "{{ resource_prefix }}_sql_condition"
type: sql
state: absent
<<: *aws_connection_info
ignore_errors: yes
- name: remove size condition
aws_waf_condition:
name: "{{ resource_prefix }}_size_condition"
type: size
state: absent
<<: *aws_connection_info
ignore_errors: yes
- name: remove geo condition
aws_waf_condition:
name: "{{ resource_prefix }}_geo_condition"
type: geo
state: absent
<<: *aws_connection_info
ignore_errors: yes
- name: remove byte condition
aws_waf_condition:
name: "{{ resource_prefix }}_byte_condition"
type: byte
state: absent
<<: *aws_connection_info
ignore_errors: yes
- name: remove ip address condition
aws_waf_condition:
name: "{{ resource_prefix }}_ip_condition"
type: ip
state: absent
<<: *aws_connection_info
ignore_errors: yes
- name: remove regex part 2 condition
aws_waf_condition:
name: "{{ resource_prefix }}_regex_condition_part_2"
type: regex
state: absent
<<: *aws_connection_info
ignore_errors: yes
- name: remove first regex condition
aws_waf_condition:
name: "{{ resource_prefix }}_regex_condition"
type: regex
state: absent
<<: *aws_connection_info
ignore_errors: yes