- block: - name: set yaml anchor set_fact: aws_connection_info: &aws_connection_info aws_access_key: "{{ aws_access_key }}" aws_secret_key: "{{ aws_secret_key }}" security_token: "{{ security_token }}" no_log: yes ################################################## # aws_waf_condition tests ################################################## - name: create WAF IP condition aws_waf_condition: name: "{{ resource_prefix }}_ip_condition" filters: - ip_address: "10.0.0.0/8" type: ip <<: *aws_connection_info register: create_waf_ip_condition - name: add an IP address to WAF condition aws_waf_condition: name: "{{ resource_prefix }}_ip_condition" filters: - ip_address: "10.0.0.0/8" - ip_address: "192.168.0.0/24" type: ip <<: *aws_connection_info register: add_ip_address_to_waf_condition - name: check expected waf filter length assert: that: - add_ip_address_to_waf_condition.condition.ip_set_descriptors|length == 2 - name: add an IP address to WAF condition (rely on purge_filters defaulting to false) aws_waf_condition: name: "{{ resource_prefix }}_ip_condition" filters: - ip_address: "192.168.10.0/24" type: ip <<: *aws_connection_info register: add_ip_address_to_waf_condition_no_purge - name: check waf filter length has increased assert: that: - add_ip_address_to_waf_condition_no_purge.condition.ip_set_descriptors|length == 3 - add_ip_address_to_waf_condition_no_purge.changed - name: add an IP address to WAF condition (set purge_filters) aws_waf_condition: name: "{{ resource_prefix }}_ip_condition" filters: - ip_address: "192.168.20.0/24" purge_filters: yes type: ip <<: *aws_connection_info register: add_ip_address_to_waf_condition_purge - name: check waf filter length has reduced assert: that: - add_ip_address_to_waf_condition_purge.condition.ip_set_descriptors|length == 1 - add_ip_address_to_waf_condition_purge.changed - name: create WAF byte condition aws_waf_condition: name: "{{ resource_prefix }}_byte_condition" filters: - field_to_match: header position: STARTS_WITH target_string: Hello header: Content-type type: byte <<: *aws_connection_info register: create_waf_byte_condition - name: recreate WAF byte condition aws_waf_condition: name: "{{ resource_prefix }}_byte_condition" filters: - field_to_match: header position: STARTS_WITH target_string: Hello header: Content-type type: byte <<: *aws_connection_info register: recreate_waf_byte_condition - name: assert that no change was made assert: that: - not recreate_waf_byte_condition.changed - name: create WAF geo condition aws_waf_condition: name: "{{ resource_prefix }}_geo_condition" filters: - country: US - country: AU - country: AT type: geo <<: *aws_connection_info register: create_waf_geo_condition - name: create WAF size condition aws_waf_condition: name: "{{ resource_prefix }}_size_condition" filters: - field_to_match: query_string size: 300 comparison: GT type: size <<: *aws_connection_info register: create_waf_size_condition - name: create WAF sql condition aws_waf_condition: name: "{{ resource_prefix }}_sql_condition" filters: - field_to_match: query_string transformation: url_decode type: sql <<: *aws_connection_info register: create_waf_sql_condition - name: create WAF xss condition aws_waf_condition: name: "{{ resource_prefix }}_xss_condition" filters: - field_to_match: query_string transformation: url_decode type: xss <<: *aws_connection_info register: create_waf_xss_condition - name: create WAF regex condition aws_waf_condition: name: "{{ resource_prefix }}_regex_condition" filters: - field_to_match: query_string regex_pattern: name: greetings regex_strings: - '[hH]ello' - '^Hi there' - '.*Good Day to You' type: regex <<: *aws_connection_info register: create_waf_regex_condition - name: create a second WAF regex condition with the same regex aws_waf_condition: name: "{{ resource_prefix }}_regex_condition_part_2" filters: - field_to_match: header header: cookie regex_pattern: name: greetings regex_strings: - '[hH]ello' - '^Hi there' - '.*Good Day to You' type: regex <<: *aws_connection_info register: create_second_waf_regex_condition - name: check that the pattern is shared assert: that: - > create_waf_regex_condition.condition.regex_match_tuples[0].regex_pattern_set_id == create_second_waf_regex_condition.condition.regex_match_tuples[0].regex_pattern_set_id - create_second_waf_regex_condition.changed - name: delete first WAF regex condition aws_waf_condition: name: "{{ resource_prefix }}_regex_condition" filters: - field_to_match: query_string regex_pattern: name: greetings regex_strings: - '[hH]ello' - '^Hi there' - '.*Good Day to You' type: regex state: absent <<: *aws_connection_info register: delete_waf_regex_condition - name: delete second WAF regex condition aws_waf_condition: name: "{{ resource_prefix }}_regex_condition_part_2" filters: - field_to_match: header header: cookie regex_pattern: name: greetings regex_strings: - '[hH]ello' - '^Hi there' - '.*Good Day to You' type: regex state: absent <<: *aws_connection_info register: delete_second_waf_regex_condition - name: create WAF regex condition aws_waf_condition: name: "{{ resource_prefix }}_regex_condition" filters: - field_to_match: query_string regex_pattern: name: greetings regex_strings: - '[hH]ello' - '^Hi there' - '.*Good Day to You' type: regex <<: *aws_connection_info register: recreate_waf_regex_condition - name: check that a new pattern is created (because the first pattern should have been deleted once unused) assert: that: - > recreate_waf_regex_condition.condition.regex_match_tuples[0].regex_pattern_set_id != create_waf_regex_condition.condition.regex_match_tuples[0].regex_pattern_set_id ################################################## # aws_waf_rule tests ################################################## - name: create WAF rule aws_waf_rule: name: "{{ resource_prefix }}_rule" conditions: - name: "{{ resource_prefix }}_regex_condition" type: regex negated: no - name: "{{ resource_prefix }}_geo_condition" type: geo negated: no - name: "{{ resource_prefix }}_byte_condition" type: byte negated: no purge_conditions: yes <<: *aws_connection_info register: create_aws_waf_rule - name: check WAF rule assert: that: - create_aws_waf_rule.changed - create_aws_waf_rule.rule.predicates|length == 3 - name: recreate WAF rule aws_waf_rule: name: "{{ resource_prefix }}_rule" conditions: - name: "{{ resource_prefix }}_regex_condition" type: regex negated: no - name: "{{ resource_prefix }}_geo_condition" type: geo negated: no - name: "{{ resource_prefix }}_byte_condition" type: byte negated: no <<: *aws_connection_info register: create_aws_waf_rule - name: check WAF rule did not change assert: that: - not create_aws_waf_rule.changed - create_aws_waf_rule.rule.predicates|length == 3 - name: add further WAF rules relying on purge_conditions defaulting to false aws_waf_rule: name: "{{ resource_prefix }}_rule" conditions: - name: "{{ resource_prefix }}_ip_condition" type: ip negated: yes - name: "{{ resource_prefix }}_sql_condition" type: sql negated: no - name: "{{ resource_prefix }}_xss_condition" type: xss negated: no <<: *aws_connection_info register: add_conditions_to_aws_waf_rule - name: check WAF rule added rules assert: that: - add_conditions_to_aws_waf_rule.changed - add_conditions_to_aws_waf_rule.rule.predicates|length == 6 - name: remove some rules through purging conditions aws_waf_rule: name: "{{ resource_prefix }}_rule" conditions: - name: "{{ resource_prefix }}_ip_condition" type: ip negated: yes - name: "{{ resource_prefix }}_xss_condition" type: xss negated: no - name: "{{ resource_prefix }}_byte_condition" type: byte negated: no - name: "{{ resource_prefix }}_size_condition" type: size negated: no purge_conditions: yes <<: *aws_connection_info register: add_and_remove_waf_rule_conditions - name: check WAF rules were updated as expected assert: that: - add_and_remove_waf_rule_conditions.changed - add_and_remove_waf_rule_conditions.rule.predicates|length == 4 - name: attempt to remove an in use condition aws_waf_condition: name: "{{ resource_prefix }}_size_condition" type: size state: absent <<: *aws_connection_info ignore_errors: yes register: remove_in_use_condition - name: check failure was sensible assert: that: - remove_in_use_condition.failed - "'Condition {{ resource_prefix }}_size_condition is in use' in remove_in_use_condition.msg" ################################################## # aws_waf_web_acl tests ################################################## - name: create web ACL aws_waf_web_acl: name: "{{ resource_prefix }}_web_acl" rules: - name: "{{ resource_prefix }}_rule" priority: 1 action: block default_action: block purge_rules: yes state: present <<: *aws_connection_info register: create_web_acl - name: recreate web acl aws_waf_web_acl: name: "{{ resource_prefix }}_web_acl" rules: - name: "{{ resource_prefix }}_rule" priority: 1 action: block default_action: block state: present <<: *aws_connection_info register: recreate_web_acl - name: check web acl was not changed assert: that: - not recreate_web_acl.changed - recreate_web_acl.web_acl.rules|length == 1 - name: create a second WAF rule aws_waf_rule: name: "{{ resource_prefix }}_rule_2" conditions: - name: "{{ resource_prefix }}_ip_condition" type: ip negated: yes - name: "{{ resource_prefix }}_sql_condition" type: sql negated: no - name: "{{ resource_prefix }}_xss_condition" type: xss negated: no <<: *aws_connection_info - name: add a new rule to the web acl aws_waf_web_acl: name: "{{ resource_prefix }}_web_acl" rules: - name: "{{ resource_prefix }}_rule_2" priority: 2 action: allow default_action: block state: present <<: *aws_connection_info register: web_acl_add_rule - name: check that rule was added to the web acl assert: that: - web_acl_add_rule.changed - web_acl_add_rule.web_acl.rules|length == 2 - name: use purge rules to remove the first rule aws_waf_web_acl: name: "{{ resource_prefix }}_web_acl" rules: - name: "{{ resource_prefix }}_rule_2" priority: 2 action: allow purge_rules: yes default_action: block state: present <<: *aws_connection_info register: web_acl_add_rule - name: check that rule was removed from the web acl assert: that: - web_acl_add_rule.changed - web_acl_add_rule.web_acl.rules|length == 1 - name: swap two rules of same priority aws_waf_web_acl: name: "{{ resource_prefix }}_web_acl" rules: - name: "{{ resource_prefix }}_rule" priority: 2 action: allow purge_rules: yes default_action: block state: present <<: *aws_connection_info register: web_acl_swap_rule - name: attempt to delete the inuse first rule aws_waf_rule: name: "{{ resource_prefix }}_rule" state: absent <<: *aws_connection_info ignore_errors: yes register: remove_inuse_rule - name: check that removing in-use rule fails assert: that: - remove_inuse_rule.failed - name: delete the web acl aws_waf_web_acl: name: "{{ resource_prefix }}_web_acl" state: absent <<: *aws_connection_info register: delete_web_acl - name: check that web acl was deleted assert: that: - delete_web_acl.changed - not delete_web_acl.web_acl - name: delete the no longer in use first rule aws_waf_rule: name: "{{ resource_prefix }}_rule" state: absent <<: *aws_connection_info always: - debug: msg: "****** TEARDOWN STARTS HERE ******" - name: delete the web acl aws_waf_web_acl: name: "{{ resource_prefix }}_web_acl" state: absent purge_rules: yes <<: *aws_connection_info ignore_errors: yes - name: remove second WAF rule aws_waf_rule: name: "{{ resource_prefix }}_rule_2" state: absent purge_conditions: yes <<: *aws_connection_info ignore_errors: yes - name: remove WAF rule aws_waf_rule: name: "{{ resource_prefix }}_rule" state: absent purge_conditions: yes <<: *aws_connection_info ignore_errors: yes - name: remove XSS condition aws_waf_condition: name: "{{ resource_prefix }}_xss_condition" type: xss state: absent <<: *aws_connection_info ignore_errors: yes - name: remove SQL condition aws_waf_condition: name: "{{ resource_prefix }}_sql_condition" type: sql state: absent <<: *aws_connection_info ignore_errors: yes - name: remove size condition aws_waf_condition: name: "{{ resource_prefix }}_size_condition" type: size state: absent <<: *aws_connection_info ignore_errors: yes - name: remove geo condition aws_waf_condition: name: "{{ resource_prefix }}_geo_condition" type: geo state: absent <<: *aws_connection_info ignore_errors: yes - name: remove byte condition aws_waf_condition: name: "{{ resource_prefix }}_byte_condition" type: byte state: absent <<: *aws_connection_info ignore_errors: yes - name: remove ip address condition aws_waf_condition: name: "{{ resource_prefix }}_ip_condition" type: ip state: absent <<: *aws_connection_info ignore_errors: yes - name: remove regex part 2 condition aws_waf_condition: name: "{{ resource_prefix }}_regex_condition_part_2" type: regex state: absent <<: *aws_connection_info ignore_errors: yes - name: remove first regex condition aws_waf_condition: name: "{{ resource_prefix }}_regex_condition" type: regex state: absent <<: *aws_connection_info ignore_errors: yes