Skip to content

Commit

Permalink
Add AWS Wafv2 Support (#1254)
Browse files Browse the repository at this point in the history
* Add basic support for wafv2, missing aws_wafv2_web_acl_association and aws_wafv2_web_acl_logging_configuration

* add logging config and associatations

* add loop for each resource type

* scope cloudfront to us-east-1

* move up dep

* add docs
  • Loading branch information
countableSet authored Mar 17, 2022
1 parent 415fee5 commit ceb25e2
Show file tree
Hide file tree
Showing 6 changed files with 251 additions and 14 deletions.
33 changes: 21 additions & 12 deletions cmd/provider_cmd_aws.go
Original file line number Diff line number Diff line change
Expand Up @@ -33,15 +33,22 @@ func newCmdAwsImporter(options ImportOptions) *cobra.Command {

if len(options.Regions) > 0 {
shouldSpecifyPathRegion := len(options.Regions) > 1
globalResources := parseGlobalResources(originalResources)
globalResources, eastOnlyResources, regionalResources := parseAndGroupResources(originalResources)
options.Resources = globalResources
options.Regions = []string{awsterraformer.GlobalRegion}
e := importGlobalResources(options)
if e != nil {
return e
}

options.Resources = parseRegionalResources(originalResources)
options.Resources = eastOnlyResources
options.Regions = []string{awsterraformer.MainRegionPublicPartition}
e = importEastOnlyResources(options)
if e != nil {
return e
}

options.Resources = regionalResources
options.Regions = originalRegions
if len(options.Resources) > 0 { // don't import anything and potentially override global resources
if len(globalResources) > 0 {
Expand Down Expand Up @@ -71,14 +78,19 @@ func newCmdAwsImporter(options ImportOptions) *cobra.Command {
return cmd
}

func parseGlobalResources(allResources []string) []string {
var globalResources []string
// returns global, east-only, regional resources
func parseAndGroupResources(allResources []string) ([]string, []string, []string) {
var globalResources, eastOnlyResources, regionalResources []string
for _, resourceName := range allResources {
if contains(awsterraformer.SupportedGlobalResources, resourceName) {
globalResources = append(globalResources, resourceName)
} else if contains(awsterraformer.SupportedEastOnlyResources, resourceName) {
eastOnlyResources = append(eastOnlyResources, resourceName)
} else {
regionalResources = append(regionalResources, resourceName)
}
}
return globalResources
return globalResources, eastOnlyResources, regionalResources
}

func importGlobalResources(options ImportOptions) error {
Expand All @@ -88,14 +100,11 @@ func importGlobalResources(options ImportOptions) error {
return nil
}

func parseRegionalResources(allResources []string) []string {
var localResources []string
for _, resourceName := range allResources {
if !contains(awsterraformer.SupportedGlobalResources, resourceName) {
localResources = append(localResources, resourceName)
}
func importEastOnlyResources(options ImportOptions) error {
if len(options.Resources) > 0 {
return importRegionResources(options, options.PathPattern, awsterraformer.MainRegionPublicPartition, false)
}
return localResources
return nil
}

func importRegionResources(options ImportOptions, originalPathPattern string, region string, shouldSpecifyPathRegion bool) error {
Expand Down
13 changes: 13 additions & 0 deletions docs/aws.md
Original file line number Diff line number Diff line change
Expand Up @@ -307,6 +307,19 @@ terraformer import aws --resources=sg --regions=us-east-1
* `aws_wafregional_sql_injection_match_set`
* `aws_wafregional_web_acl`
* `aws_wafregional_xss_match_set`
* `wafv2_cloudfront`
* `aws_wafv2_ip_set`
* `aws_wafv2_regex_pattern_set`
* `aws_wafv2_rule_group`
* `aws_wafv2_web_acl`
* `aws_wafv2_web_acl_logging_configuration`
* `wafv2_regional`
* `aws_wafv2_ip_set`
* `aws_wafv2_regex_pattern_set`
* `aws_wafv2_rule_group`
* `aws_wafv2_web_acl`
* `aws_wafv2_web_acl_association`
* `aws_wafv2_web_acl_logging_configuration`
* `vpc`
* `aws_vpc`
* `vpc_peering`
Expand Down
1 change: 1 addition & 0 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,7 @@ require (
github.com/aws/aws-sdk-go-v2/service/swf v1.10.0
github.com/aws/aws-sdk-go-v2/service/waf v1.1.4
github.com/aws/aws-sdk-go-v2/service/wafregional v1.2.1
github.com/aws/aws-sdk-go-v2/service/wafv2 v1.18.0
github.com/aws/aws-sdk-go-v2/service/workspaces v1.2.1
github.com/aws/aws-sdk-go-v2/service/xray v1.2.1
github.com/cenkalti/backoff v2.2.1+incompatible // indirect
Expand Down
2 changes: 2 additions & 0 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -373,6 +373,8 @@ github.com/aws/aws-sdk-go-v2/service/waf v1.1.4 h1:Wh0YMwF394A9eBC8Pv8Uxk6CBx9KT
github.com/aws/aws-sdk-go-v2/service/waf v1.1.4/go.mod h1:Ujifac0yyu5RLw3cPCGua50uHnsjiJo9LAhXEJZ+tVk=
github.com/aws/aws-sdk-go-v2/service/wafregional v1.2.1 h1:Re8Uwffnndo9t8V46kT3aruMvVXHXUmuYKhIF1U9CBc=
github.com/aws/aws-sdk-go-v2/service/wafregional v1.2.1/go.mod h1:WvRSWmA7SJw0TbU0XKCo+oC/qsD/OR/tFRzTnq8FBpk=
github.com/aws/aws-sdk-go-v2/service/wafv2 v1.18.0 h1:d42YwLtFO0CgubEAPUxaW8rw/i8eFiFgP9dCnYuE/Ok=
github.com/aws/aws-sdk-go-v2/service/wafv2 v1.18.0/go.mod h1:mJGumgpCFbImG07kvjOS75rsmHlF4uY8fm31h1fvumc=
github.com/aws/aws-sdk-go-v2/service/workspaces v1.2.1 h1:hSzpp50D6D37eIELSSpYwJ75e8XL9bvTzjspZgt4+5A=
github.com/aws/aws-sdk-go-v2/service/workspaces v1.2.1/go.mod h1:8k9EEz8LMNPUDENPlW0laaQkAZC2TbEYF+XNUu1lFLk=
github.com/aws/aws-sdk-go-v2/service/xray v1.2.1 h1:RiTWbH90tIuJNnZZys9HeqBfpT3oSPulh7fM7anPQiY=
Expand Down
9 changes: 7 additions & 2 deletions providers/aws/aws_provider.go
Original file line number Diff line number Diff line change
Expand Up @@ -35,8 +35,6 @@ const NoRegion = ""

// SupportedGlobalResources should be bound to a default region. AWS doesn't specify in which region default services are
// placed (see https://docs.aws.amazon.com/general/latest/gr/rande.html), so we shouldn't assume any region as well
//
// AWS WAF V2 if added, should not be included in this list since it is a composition of regional and global resources.
var SupportedGlobalResources = []string{
"budgets",
"cloudfront",
Expand All @@ -47,6 +45,11 @@ var SupportedGlobalResources = []string{
"waf",
}

// SupportedEastOnlyResources should be bound to us-east-1 region only, and does not work in any other region.
var SupportedEastOnlyResources = []string{
"wafv2_cloudfront",
}

func (p AWSProvider) GetResourceConnections() map[string]map[string][]string {
return map[string]map[string][]string{
"alb": {
Expand Down Expand Up @@ -304,6 +307,8 @@ func (p *AWSProvider) GetSupportedService() map[string]terraformutils.ServiceGen
"transit_gateway": &AwsFacade{service: &TransitGatewayGenerator{}},
"waf": &AwsFacade{service: &WafGenerator{}},
"waf_regional": &AwsFacade{service: &WafRegionalGenerator{}},
"wafv2_cloudfront": &AwsFacade{service: NewWafv2CloudfrontGenerator()},
"wafv2_regional": &AwsFacade{service: NewWafv2RegionalGenerator()},
"vpc": &AwsFacade{service: &VpcGenerator{}},
"vpc_peering": &AwsFacade{service: &VpcPeeringConnectionGenerator{}},
"vpn_connection": &AwsFacade{service: &VpnConnectionGenerator{}},
Expand Down
207 changes: 207 additions & 0 deletions providers/aws/wafv2.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,207 @@
// Copyright 2020 The Terraformer Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package aws

import (
"context"

"github.com/GoogleCloudPlatform/terraformer/terraformutils"
"github.com/aws/aws-sdk-go-v2/service/wafv2"
"github.com/aws/aws-sdk-go-v2/service/wafv2/types"
)

var wafv2AllowEmptyValues = []string{"tags."}

type Wafv2Generator struct {
AWSService
scope types.Scope
}

func NewWafv2CloudfrontGenerator() *Wafv2Generator {
return &Wafv2Generator{scope: types.ScopeCloudfront}
}

func NewWafv2RegionalGenerator() *Wafv2Generator {
return &Wafv2Generator{scope: types.ScopeRegional}
}

func (g *Wafv2Generator) InitResources() error {
config, e := g.generateConfig()
if e != nil {
return e
}
svc := wafv2.NewFromConfig(config)

if err := g.loadWebACL(svc); err != nil {
return err
}
if err := g.loadIPSet(svc); err != nil {
return err
}
if err := g.loadRegexPatternSets(svc); err != nil {
return err
}
if err := g.loadWafRuleGroups(svc); err != nil {
return err
}
if err := g.loadWebACLLoggingConfiguration(svc); err != nil {
return err
}

return nil
}

func (g *Wafv2Generator) loadWebACL(svc *wafv2.Client) error {
output, err := svc.ListWebACLs(context.TODO(), &wafv2.ListWebACLsInput{Scope: g.scope})
if err != nil {
return err
}
for _, acl := range output.WebACLs {
g.Resources = append(g.Resources, terraformutils.NewResource(
*acl.Id,
*acl.Name+"_"+(*acl.Id)[0:8],
"aws_wafv2_web_acl",
"aws",
map[string]string{
"name": *acl.Name,
"scope": string(g.scope),
},
wafv2AllowEmptyValues,
map[string]interface{}{},
))
if g.scope == types.ScopeRegional {
// cloudfront associations are not listed here since they should to defined in
// aws_cloudfront_distribution resource instead
err = g.loadWebACLAssociations(svc, acl.ARN)
if err != nil {
return err
}
}
}
return nil
}

func (g *Wafv2Generator) loadWebACLAssociations(svc *wafv2.Client, webACLArn *string) error {
for _, resourceType := range types.ResourceTypeApplicationLoadBalancer.Values() {
output, err := svc.ListResourcesForWebACL(context.TODO(),
&wafv2.ListResourcesForWebACLInput{WebACLArn: webACLArn, ResourceType: resourceType})
if err != nil {
return err
}
for _, resource := range output.ResourceArns {
g.Resources = append(g.Resources, terraformutils.NewResource(
resource,
resource,
"aws_wafv2_web_acl_association",
"aws",
map[string]string{
"resource_arn": resource,
"web_acl_arn": *webACLArn,
},
wafv2AllowEmptyValues,
map[string]interface{}{},
))
}
}
return nil
}

func (g *Wafv2Generator) loadIPSet(svc *wafv2.Client) error {
output, err := svc.ListIPSets(context.TODO(), &wafv2.ListIPSetsInput{Scope: g.scope})
if err != nil {
return err
}
for _, IPSet := range output.IPSets {
g.Resources = append(g.Resources, terraformutils.NewResource(
*IPSet.Id,
*IPSet.Name+"_"+(*IPSet.Id)[0:8],
"aws_wafv2_ip_set",
"aws",
map[string]string{
"name": *IPSet.Name,
"scope": string(g.scope),
},
wafv2AllowEmptyValues,
map[string]interface{}{},
))
}
return nil
}

func (g *Wafv2Generator) loadRegexPatternSets(svc *wafv2.Client) error {
output, err := svc.ListRegexPatternSets(context.TODO(), &wafv2.ListRegexPatternSetsInput{Scope: g.scope})
if err != nil {
return err
}
for _, regexPatternSet := range output.RegexPatternSets {
g.Resources = append(g.Resources, terraformutils.NewResource(
*regexPatternSet.Id,
*regexPatternSet.Name+"_"+(*regexPatternSet.Id)[0:8],
"aws_wafv2_regex_pattern_set",
"aws",
map[string]string{
"name": *regexPatternSet.Name,
"scope": string(g.scope),
},
wafv2AllowEmptyValues,
map[string]interface{}{},
))
}
return nil
}

func (g *Wafv2Generator) loadWafRuleGroups(svc *wafv2.Client) error {
output, err := svc.ListRuleGroups(context.TODO(), &wafv2.ListRuleGroupsInput{Scope: g.scope})
if err != nil {
return err
}
for _, ruleGroup := range output.RuleGroups {
g.Resources = append(g.Resources, terraformutils.NewResource(
*ruleGroup.Id,
*ruleGroup.Name+"_"+(*ruleGroup.Id)[0:8],
"aws_wafv2_rule_group",
"aws",
map[string]string{
"arn": *ruleGroup.ARN,
"name": *ruleGroup.Name,
"scope": string(g.scope),
},
wafv2AllowEmptyValues,
map[string]interface{}{},
))
}
return nil
}

func (g *Wafv2Generator) loadWebACLLoggingConfiguration(svc *wafv2.Client) error {
output, err := svc.ListLoggingConfigurations(context.TODO(), &wafv2.ListLoggingConfigurationsInput{Scope: g.scope})
if err != nil {
return err
}
for _, logConfig := range output.LoggingConfigurations {
g.Resources = append(g.Resources, terraformutils.NewResource(
*logConfig.ResourceArn,
*logConfig.ResourceArn,
"aws_wafv2_web_acl_logging_configuration",
"aws",
map[string]string{
"resource_arn": *logConfig.ResourceArn,
},
wafv2AllowEmptyValues,
map[string]interface{}{},
))
}
return nil
}

0 comments on commit ceb25e2

Please sign in to comment.