diff --git a/.github/workflows/pr-validation.yml b/.github/workflows/pr-validation.yml index 54fca5a..34dab95 100644 --- a/.github/workflows/pr-validation.yml +++ b/.github/workflows/pr-validation.yml @@ -66,26 +66,20 @@ jobs: terraform init -backend=false terraform validate - - name: Terraform Validate - AAP/ASM - Activate Bot Manager Module - working-directory: ./aap-asm/bot-manager - run: | - terraform init -backend=false - terraform validate - - name: Terraform Validate - AAP/ASM - Client Lists Module working-directory: ./aap-asm/client-lists run: | terraform init -backend=false terraform validate - - name: Terraform Validate - AAP/ASM - Client Reputation Module - working-directory: ./aap-asm/client-reputation + - name: Terraform Validate - AAP/ASM - Security Config Module + working-directory: ./aap-asm/security-config run: | terraform init -backend=false terraform validate - - name: Terraform Validate - AAP/ASM - Security Module - working-directory: ./aap-asm/security + - name: Terraform Validate - AAP/ASM - Security Policy Module + working-directory: ./aap-asm/security-policy run: | terraform init -backend=false terraform validate diff --git a/.github/workflows/tf-docs.yml b/.github/workflows/tf-docs.yml index dfa185c..11006a8 100644 --- a/.github/workflows/tf-docs.yml +++ b/.github/workflows/tf-docs.yml @@ -75,15 +75,6 @@ jobs: output-method: inject git-push: true - - name: Generate terraform-docs for AAP/ASM - Bot Manager Module - uses: terraform-docs/gh-actions@v1.4.1 - with: - working-dir: ./aap-asm/bot-manager - config-file: ../../.terraform-docs.yaml - output-file: README.md - output-method: inject - git-push: true - - name: Generate terraform-docs for AAP/ASM - Client Lists Module uses: terraform-docs/gh-actions@v1.4.1 with: @@ -93,19 +84,19 @@ jobs: output-method: inject git-push: true - - name: Generate terraform-docs for AAP/ASM - Client Reputation Module + - name: Generate terraform-docs for AAP/ASM - Security Config Module uses: terraform-docs/gh-actions@v1.4.1 with: - working-dir: ./aap-asm/client-reputation + working-dir: ./aap-asm/security-config config-file: ../../.terraform-docs.yaml output-file: README.md output-method: inject git-push: true - - name: Generate terraform-docs for AAP/ASM - Security Module + - name: Generate terraform-docs for AAP/ASM - Security Policy Module uses: terraform-docs/gh-actions@v1.4.1 with: - working-dir: ./aap-asm/security + working-dir: ./aap-asm/security-policy config-file: ../../.terraform-docs.yaml output-file: README.md output-method: inject diff --git a/aap-asm/README.md b/aap-asm/README.md index 4e62456..7820a61 100644 --- a/aap-asm/README.md +++ b/aap-asm/README.md @@ -1,9 +1,29 @@ # Modules to create an AAP+ASM configuration -The Terraform Modules contained in this repository help you manage different resources that is required to create an AAP+ASM Configuration as per the best practices: -* Activate-Security : Used to manage resources required to activate secuirty configuration on staging and production -* Bot-manager : Used to manage BVM and BMS resources -* Client-lists : Used to manage resources required to create client lists -* Client-Reputation : Used to manage resources required to create Client reputation profiles -* Security : Used to manage resources related to the following protection - IP/GEO firewall, DoS Protection and WAF +The Terraform Modules contained in this repository help you manage different resources required to create an AAP+ASM Configuration as per best practices. Supports **multiple security policies** per configuration, each with independently configurable protection actions. + +## Modules + +| Module | Cardinality | Purpose | +|--------|-------------|---------| +| **activate-security** | Once | Activate the security configuration on staging and production networks | +| **client-lists** | Once | Create and manage client lists (IP block, GEO block, bypass lists) | +| **security-config** | Once | Create the security configuration, advanced settings, rate policies, and reputation profiles | +| **security-policy** | Per policy (`for_each`) | Create security policies with match targets, WAF, DoS, IP/GEO firewall, client reputation, and bot management | + +## Multi-Policy Architecture + +``` +security-config (singleton) security-policy (for_each) +├── Configuration ├── Policy + match target +├── Advanced settings ├── Protection toggles +├── Rate policies ├── WAF attack group actions +├── Reputation profiles ├── Rate policy actions +└── Bypass lists ├── IP/Geo firewall + ├── Penalty box + slow POST + ├── Reputation profile actions + └── Bot management settings + actions +``` + +Each policy inherits from a `policy_defaults` baseline and can override any field independently. diff --git a/aap-asm/activate-security/versions.tf b/aap-asm/activate-security/versions.tf index 1bc6ce4..ee48df1 100644 --- a/aap-asm/activate-security/versions.tf +++ b/aap-asm/activate-security/versions.tf @@ -2,7 +2,7 @@ terraform { required_providers { akamai = { source = "akamai/akamai" - version = "~> 9.0" + version = "~> 10.1" } } required_version = ">= 1.9.0" diff --git a/aap-asm/bot-manager/README.md b/aap-asm/bot-manager/README.md deleted file mode 100644 index ea18700..0000000 --- a/aap-asm/bot-manager/README.md +++ /dev/null @@ -1,162 +0,0 @@ - - -# Onboarding: Application Security Configuration for Bot Manager - -The use case for this module is to quickly create a new Application Security Configuration for Bot Manager -serving a set of hostnames following Akamai Professional Services Best Practices. - -Read on to find out which resources are provisioned as part of this -process, and how to customize! - -# Usage -Basic usage of this module is as follows: - -```hcl -module "example" { - source = "" - - # Required variables - botman_type = - config_id = - remove_botman_cookies = - security_policy_id = - third_party_proxy = - - # Optional variables - add_akamai_bot_header = | default: false - bot_academic_or_research = | default: "alert" - bot_aggressive_web_crawlers = | default: "alert" - bot_artificial_intelligence_ai = | default: "alert" - bot_browser_impersonator = | default: "alert" - bot_business_intelligence = | default: "alert" - bot_client_disabled_javascript_noscript_triggered = | default: "alert" - bot_cookie_integrity_failed = | default: "alert" - bot_declared_bots_keyword_match = | default: "alert" - bot_development_frameworks = | default: "alert" - bot_ecommerce_search_engine = | default: "alert" - bot_enterprise_data_aggregator = | default: "alert" - bot_financial_account_aggregator = | default: "alert" - bot_financial_services = | default: "alert" - bot_headless_browsersautomation_tools = | default: "alert" - bot_http_libraries = | default: "alert" - bot_impersonators_of_known_bots = | default: "alert" - bot_javascript_fingerprint_anomaly = | default: "alert" - bot_javascript_fingerprint_not_received = | default: "alert" - bot_job_search_engine = | default: "alert" - bot_media_or_entertainment_search = | default: "alert" - bot_news_aggregator = | default: "alert" - bot_online_advertising = | default: "alert" - bot_open_source_crawlersscraping_platforms = | default: "alert" - bot_rss_feed_reader = | default: "alert" - bot_seo_analytics_or_marketing = | default: "alert" - bot_session_validation = | default: "alert" - bot_site_monitoring_and_web_development = | default: "alert" - bot_social_media_or_blog = | default: "alert" - bot_web_archiver = | default: "alert" - bot_web_scraper_reputation = | default: "alert" - bot_web_search_engine = | default: "alert" - bot_web_services_libraries = | default: "alert" - enable_active_detections = | default: false - enable_browser_validation = | default: false -} - ``` - -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.9.0 | -| [akamai](#requirement\_akamai) | ~> 9.0 | - -## Resources - -| Name | Type | -|------|------| -| [akamai_botman_akamai_bot_category_action.tfdemo_academic_or_research_bots_0c508e1d-73a4-4366-9e48-3c4a080f1c5d](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_akamai_bot_category_action) | resource | -| [akamai_botman_akamai_bot_category_action.tfdemo_artificial_intelligence_ai_bots_352fca87-71ee-4b8d-ae15-d36772556072](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_akamai_bot_category_action) | resource | -| [akamai_botman_akamai_bot_category_action.tfdemo_business_intelligence_bots_8a70d29c-a491-4583-9768-7deea2f379c1](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_akamai_bot_category_action) | resource | -| [akamai_botman_akamai_bot_category_action.tfdemo_ecommerce_search_engine_bots_47bcfb70-f3f5-458b-8f7c-1773b14bc6a4](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_akamai_bot_category_action) | resource | -| [akamai_botman_akamai_bot_category_action.tfdemo_enterprise_data_aggregator_bots_50395ad2-2673-41a4-b317-9b70742fd40f](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_akamai_bot_category_action) | resource | -| [akamai_botman_akamai_bot_category_action.tfdemo_financial_account_aggregator_bots_c6692e03-d3a8-49b0-9566-5003eeaddbc1](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_akamai_bot_category_action) | resource | -| [akamai_botman_akamai_bot_category_action.tfdemo_financial_services_bots_53598904-21f5-46b1-8b51-1b991beef73b](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_akamai_bot_category_action) | resource | -| [akamai_botman_akamai_bot_category_action.tfdemo_job_search_engine_bots_2f169206-f32c-48f7-b281-d534cf1ceeb3](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_akamai_bot_category_action) | resource | -| [akamai_botman_akamai_bot_category_action.tfdemo_media_or_entertainment_search_bots_dff258d5-b1ad-4bbb-b1d1-cf8e700e5bba](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_akamai_bot_category_action) | resource | -| [akamai_botman_akamai_bot_category_action.tfdemo_news_aggregator_bots_ade03247-6519-4591-8458-9b7347004b63](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_akamai_bot_category_action) | resource | -| [akamai_botman_akamai_bot_category_action.tfdemo_online_advertising_bots_36b27e0c-76fc-44a4-b913-c598c5af8bba](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_akamai_bot_category_action) | resource | -| [akamai_botman_akamai_bot_category_action.tfdemo_rss_feed_reader_bots_b58c9929-9fd0-45f7-86f4-1d6259285c3c](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_akamai_bot_category_action) | resource | -| [akamai_botman_akamai_bot_category_action.tfdemo_seo_analytics_or_marketing_bots_f7558c03-9033-46ce-bbda-10eeda62a5d4](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_akamai_bot_category_action) | resource | -| [akamai_botman_akamai_bot_category_action.tfdemo_site_monitoring_and_web_development_bots_07782c03-8d21-4491-9078-b83514e6508f](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_akamai_bot_category_action) | resource | -| [akamai_botman_akamai_bot_category_action.tfdemo_social_media_or_blog_bots_7035af8d-148c-429a-89da-de41e68c72d8](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_akamai_bot_category_action) | resource | -| [akamai_botman_akamai_bot_category_action.tfdemo_web_archiver_bots_831ef84a-c2bb-4b0d-b90d-bcd16793b830](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_akamai_bot_category_action) | resource | -| [akamai_botman_akamai_bot_category_action.tfdemo_web_search_engine_bots_4e14219f-6568-4c9d-9bd8-b29ca2afc422](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_akamai_bot_category_action) | resource | -| [akamai_botman_bot_detection_action.tfdemo_aggressive_web_crawlers_5bc041ad-c840-4202-9c2e-d7fc873dbeaf](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_bot_detection_action) | resource | -| [akamai_botman_bot_detection_action.tfdemo_browser_impersonator_a3b92f75-fa5d-436e-b066-426fc2919968](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_bot_detection_action) | resource | -| [akamai_botman_bot_detection_action.tfdemo_client_disabled_javascript_noscript_triggered_c5623efa-f326-41d1-9601-a2d201bedf63](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_bot_detection_action) | resource | -| [akamai_botman_bot_detection_action.tfdemo_cookie_integrity_failed_4f1fd3ea-7072-4cd0-8d12-24f275e6c75d](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_bot_detection_action) | resource | -| [akamai_botman_bot_detection_action.tfdemo_declared_bots_keyword_match_074df68e-fb28-432a-ac6d-7cfb958425f1](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_bot_detection_action) | resource | -| [akamai_botman_bot_detection_action.tfdemo_development_frameworks_da005ad3-8bbb-43c8-a783-d97d1fb71ad2](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_bot_detection_action) | resource | -| [akamai_botman_bot_detection_action.tfdemo_headless_browsersautomation_tools_b88cba13-4d11-46fe-a7e0-b47e78892dc4](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_bot_detection_action) | resource | -| [akamai_botman_bot_detection_action.tfdemo_http_libraries_578dad32-024b-48b4-930c-db81831686f4](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_bot_detection_action) | resource | -| [akamai_botman_bot_detection_action.tfdemo_impersonators_of_known_bots_fda1ffb9-ef46-4570-929c-7449c0c750f8](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_bot_detection_action) | resource | -| [akamai_botman_bot_detection_action.tfdemo_javascript_fingerprint_anomaly_393cba3d-656f-48f1-abe4-8dd5028c6871](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_bot_detection_action) | resource | -| [akamai_botman_bot_detection_action.tfdemo_javascript_fingerprint_not_received_c7f70f75-e3e2-4181-8ef8-30afb6576147](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_bot_detection_action) | resource | -| [akamai_botman_bot_detection_action.tfdemo_open_source_crawlersscraping_platforms_601192ae-f5e2-4a29-8f75-a0bcd3584c2b](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_bot_detection_action) | resource | -| [akamai_botman_bot_detection_action.tfdemo_session_validation_1bb748e2-b3ad-41db-85fa-c69e62be59dc](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_bot_detection_action) | resource | -| [akamai_botman_bot_detection_action.tfdemo_web_scraper_reputation_9712ab32-83bb-43ab-a46d-4c2a5a42e7e2](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_bot_detection_action) | resource | -| [akamai_botman_bot_detection_action.tfdemo_web_services_libraries_872ed6c2-514c-4055-9c44-9782b1c783bf](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_bot_detection_action) | resource | -| [akamai_botman_bot_management_settings.bot_manager_bms](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_bot_management_settings) | resource | -| [akamai_botman_bot_management_settings.bot_manager_bvm](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_bot_management_settings) | resource | - -## Modules - -No modules. - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [botman\_type](#input\_botman\_type) | Chose based on the available entitlement: BVM (Bot Visibility and Management) or BMS (Bot Management Standard) | `string` | n/a | yes | -| [config\_id](#input\_config\_id) | Akamai security configuration ID | `string` | n/a | yes | -| [remove\_botman\_cookies](#input\_remove\_botman\_cookies) | Remove Bot Manager cookies before sending request to origin | `bool` | n/a | yes | -| [security\_policy\_id](#input\_security\_policy\_id) | Security policy ID | `string` | n/a | yes | -| [third\_party\_proxy](#input\_third\_party\_proxy) | If you use a third-party proxy service between two Akamai Edge servers for things like A/B testing, content translation, or content adaption engines, turn this on to improve detection accuracy | `bool` | n/a | yes | -| [add\_akamai\_bot\_header](#input\_add\_akamai\_bot\_header) | Adds a header named Akamai-Bot to bot request forwarded to the origin. The header contains details like: bot type, Botnet ID, action, detection method, and bot score details, if applicable | `bool` | `false` | no | -| [bot\_academic\_or\_research](#input\_bot\_academic\_or\_research) | Action for Akamai Bot Category: Academic or Research Bots | `string` | `"alert"` | no | -| [bot\_aggressive\_web\_crawlers](#input\_bot\_aggressive\_web\_crawlers) | Action for Bot Transparent Detections: Aggressive Web Crawlers | `string` | `"alert"` | no | -| [bot\_artificial\_intelligence\_ai](#input\_bot\_artificial\_intelligence\_ai) | Action for Akamai Bot Category: Artificial Intelligence (AI) Bots | `string` | `"alert"` | no | -| [bot\_browser\_impersonator](#input\_bot\_browser\_impersonator) | Action for Bot Transparent Detections: Browser Impersonator | `string` | `"alert"` | no | -| [bot\_business\_intelligence](#input\_bot\_business\_intelligence) | Action for Akamai Bot Category: Business Intelligence Bots | `string` | `"alert"` | no | -| [bot\_client\_disabled\_javascript\_noscript\_triggered](#input\_bot\_client\_disabled\_javascript\_noscript\_triggered) | Bot Active Detections Actions: Client Disabled JavaScript (Noscript Triggered) | `string` | `"alert"` | no | -| [bot\_cookie\_integrity\_failed](#input\_bot\_cookie\_integrity\_failed) | Bot Active Detections Actions: Cookie Integrity Failed | `string` | `"alert"` | no | -| [bot\_declared\_bots\_keyword\_match](#input\_bot\_declared\_bots\_keyword\_match) | Action for Bot Transparent Detections: Declared Bots (Keyword Match) | `string` | `"alert"` | no | -| [bot\_development\_frameworks](#input\_bot\_development\_frameworks) | Action for Bot Transparent Detections: Development Frameworks | `string` | `"alert"` | no | -| [bot\_ecommerce\_search\_engine](#input\_bot\_ecommerce\_search\_engine) | Action for Akamai Bot Category: E-Commerce Search Engine Bots | `string` | `"alert"` | no | -| [bot\_enterprise\_data\_aggregator](#input\_bot\_enterprise\_data\_aggregator) | Action for Akamai Bot Category: Enterprise Data Aggregator Bots | `string` | `"alert"` | no | -| [bot\_financial\_account\_aggregator](#input\_bot\_financial\_account\_aggregator) | Action for Akamai Bot Category: Financial Account Aggregator Bots | `string` | `"alert"` | no | -| [bot\_financial\_services](#input\_bot\_financial\_services) | Action for Akamai Bot Category: Financial Services Bots | `string` | `"alert"` | no | -| [bot\_headless\_browsersautomation\_tools](#input\_bot\_headless\_browsersautomation\_tools) | Action for Bot Transparent Detections: Headless Browsers/Automation Tools | `string` | `"alert"` | no | -| [bot\_http\_libraries](#input\_bot\_http\_libraries) | Action for Bot Transparent Detections: HTTP Libraries | `string` | `"alert"` | no | -| [bot\_impersonators\_of\_known\_bots](#input\_bot\_impersonators\_of\_known\_bots) | Action for Bot Transparent Detections: Impersonators of Known Bots | `string` | `"alert"` | no | -| [bot\_javascript\_fingerprint\_anomaly](#input\_bot\_javascript\_fingerprint\_anomaly) | Bot Active Detections Actions: JavaScript Fingerprint Anomaly | `string` | `"alert"` | no | -| [bot\_javascript\_fingerprint\_not\_received](#input\_bot\_javascript\_fingerprint\_not\_received) | Bot Active Detections Actions: JavaScript Fingerprint Not Received | `string` | `"alert"` | no | -| [bot\_job\_search\_engine](#input\_bot\_job\_search\_engine) | Action for Akamai Bot Category: Job Search Engine Bots | `string` | `"alert"` | no | -| [bot\_media\_or\_entertainment\_search](#input\_bot\_media\_or\_entertainment\_search) | Action for Akamai Bot Category: Media or Entertainment Search Bots | `string` | `"alert"` | no | -| [bot\_news\_aggregator](#input\_bot\_news\_aggregator) | Action for Akamai Bot Category: News Aggregator Bots | `string` | `"alert"` | no | -| [bot\_online\_advertising](#input\_bot\_online\_advertising) | Action for Akamai Bot Category: Online Advertising Bots | `string` | `"alert"` | no | -| [bot\_open\_source\_crawlersscraping\_platforms](#input\_bot\_open\_source\_crawlersscraping\_platforms) | Action for Bot Transparent Detections: Open Source Crawlers/Scraping Platforms | `string` | `"alert"` | no | -| [bot\_rss\_feed\_reader](#input\_bot\_rss\_feed\_reader) | Action for Akamai Bot Category: RSS Feed Reader Bots | `string` | `"alert"` | no | -| [bot\_seo\_analytics\_or\_marketing](#input\_bot\_seo\_analytics\_or\_marketing) | Action for Akamai Bot Category: SEO, Analytics or Marketing Bots | `string` | `"alert"` | no | -| [bot\_session\_validation](#input\_bot\_session\_validation) | Bot Active Detections Actions: Session Validation | `string` | `"alert"` | no | -| [bot\_site\_monitoring\_and\_web\_development](#input\_bot\_site\_monitoring\_and\_web\_development) | Action for Akamai Bot Category: Site Monitoring and Web Development Bots | `string` | `"alert"` | no | -| [bot\_social\_media\_or\_blog](#input\_bot\_social\_media\_or\_blog) | Action for Akamai Bot Category: Social Media or Blog Bots | `string` | `"alert"` | no | -| [bot\_web\_archiver](#input\_bot\_web\_archiver) | Action for Akamai Bot Category: Web Archiver Bots | `string` | `"alert"` | no | -| [bot\_web\_scraper\_reputation](#input\_bot\_web\_scraper\_reputation) | Action for Bot Transparent Detections: Web Scraper Reputation | `string` | `"alert"` | no | -| [bot\_web\_search\_engine](#input\_bot\_web\_search\_engine) | Action for Akamai Bot Category: Web Search Engine Bots | `string` | `"alert"` | no | -| [bot\_web\_services\_libraries](#input\_bot\_web\_services\_libraries) | Action for Bot Transparent Detections: Web Services Libraries | `string` | `"alert"` | no | -| [enable\_active\_detections](#input\_enable\_active\_detections) | These methods interact with the requesting client using a combination of JavaScript and cookies to try to confirm that the request comes from a human using a real web browser | `bool` | `false` | no | -| [enable\_browser\_validation](#input\_enable\_browser\_validation) | Confirm that requests come from a browser. Enable use browser validation detection anywhere you expect browsers to visit the URL | `bool` | `false` | no | - -## Outputs - -No outputs. - \ No newline at end of file diff --git a/aap-asm/bot-manager/botman-actions.tf b/aap-asm/bot-manager/botman-actions.tf deleted file mode 100644 index 8223956..0000000 --- a/aap-asm/bot-manager/botman-actions.tf +++ /dev/null @@ -1,363 +0,0 @@ - -resource "akamai_botman_bot_detection_action" "tfdemo_session_validation_1bb748e2-b3ad-41db-85fa-c69e62be59dc" { - count = var.botman_type == "bms" ? 1 : 0 - config_id = var.config_id - security_policy_id = var.security_policy_id - detection_id = "1bb748e2-b3ad-41db-85fa-c69e62be59dc" - bot_detection_action = jsonencode( - { - "action" : var.bot_session_validation, - "sessionActivitySensitivity" : "MEDIUM" - } - ) -} -resource "akamai_botman_bot_detection_action" "tfdemo_javascript_fingerprint_anomaly_393cba3d-656f-48f1-abe4-8dd5028c6871" { - count = var.botman_type == "bms" ? 1 : 0 - config_id = var.config_id - security_policy_id = var.security_policy_id - detection_id = "393cba3d-656f-48f1-abe4-8dd5028c6871" - bot_detection_action = jsonencode( - { - "action" : var.bot_javascript_fingerprint_anomaly - } - ) -} - -resource "akamai_botman_bot_detection_action" "tfdemo_cookie_integrity_failed_4f1fd3ea-7072-4cd0-8d12-24f275e6c75d" { - count = var.botman_type == "bms" ? 1 : 0 - config_id = var.config_id - security_policy_id = var.security_policy_id - detection_id = "4f1fd3ea-7072-4cd0-8d12-24f275e6c75d" - bot_detection_action = jsonencode( - { - "action" : var.bot_cookie_integrity_failed - } - ) -} - -resource "akamai_botman_bot_detection_action" "tfdemo_client_disabled_javascript_noscript_triggered_c5623efa-f326-41d1-9601-a2d201bedf63" { - count = var.botman_type == "bms" ? 1 : 0 - config_id = var.config_id - security_policy_id = var.security_policy_id - detection_id = "c5623efa-f326-41d1-9601-a2d201bedf63" - bot_detection_action = jsonencode( - { - "action" : var.bot_client_disabled_javascript_noscript_triggered - } - ) -} - -resource "akamai_botman_bot_detection_action" "tfdemo_javascript_fingerprint_not_received_c7f70f75-e3e2-4181-8ef8-30afb6576147" { - count = var.botman_type == "bms" ? 1 : 0 - config_id = var.config_id - security_policy_id = var.security_policy_id - detection_id = "c7f70f75-e3e2-4181-8ef8-30afb6576147" - bot_detection_action = jsonencode( - { - "action" : var.bot_javascript_fingerprint_not_received - } - ) -} - -resource "akamai_botman_akamai_bot_category_action" "tfdemo_site_monitoring_and_web_development_bots_07782c03-8d21-4491-9078-b83514e6508f" { - config_id = var.config_id - security_policy_id = var.security_policy_id - category_id = "07782c03-8d21-4491-9078-b83514e6508f" - akamai_bot_category_action = jsonencode( - { - "action" : var.bot_site_monitoring_and_web_development - } - ) -} - -resource "akamai_botman_akamai_bot_category_action" "tfdemo_academic_or_research_bots_0c508e1d-73a4-4366-9e48-3c4a080f1c5d" { - config_id = var.config_id - security_policy_id = var.security_policy_id - category_id = "0c508e1d-73a4-4366-9e48-3c4a080f1c5d" - akamai_bot_category_action = jsonencode( - { - "action" : var.bot_academic_or_research - } - ) -} - -resource "akamai_botman_akamai_bot_category_action" "tfdemo_job_search_engine_bots_2f169206-f32c-48f7-b281-d534cf1ceeb3" { - config_id = var.config_id - security_policy_id = var.security_policy_id - category_id = "2f169206-f32c-48f7-b281-d534cf1ceeb3" - akamai_bot_category_action = jsonencode( - { - "action" : var.bot_job_search_engine - } - ) -} - -resource "akamai_botman_akamai_bot_category_action" "tfdemo_artificial_intelligence_ai_bots_352fca87-71ee-4b8d-ae15-d36772556072" { - config_id = var.config_id - security_policy_id = var.security_policy_id - category_id = "352fca87-71ee-4b8d-ae15-d36772556072" - akamai_bot_category_action = jsonencode( - { - "action" : var.bot_artificial_intelligence_ai - } - ) -} - -resource "akamai_botman_akamai_bot_category_action" "tfdemo_online_advertising_bots_36b27e0c-76fc-44a4-b913-c598c5af8bba" { - config_id = var.config_id - security_policy_id = var.security_policy_id - category_id = "36b27e0c-76fc-44a4-b913-c598c5af8bba" - akamai_bot_category_action = jsonencode( - { - "action" : var.bot_online_advertising - } - ) -} - -resource "akamai_botman_akamai_bot_category_action" "tfdemo_ecommerce_search_engine_bots_47bcfb70-f3f5-458b-8f7c-1773b14bc6a4" { - config_id = var.config_id - security_policy_id = var.security_policy_id - category_id = "47bcfb70-f3f5-458b-8f7c-1773b14bc6a4" - akamai_bot_category_action = jsonencode( - { - "action" : var.bot_ecommerce_search_engine - } - ) -} - -resource "akamai_botman_akamai_bot_category_action" "tfdemo_web_search_engine_bots_4e14219f-6568-4c9d-9bd8-b29ca2afc422" { - config_id = var.config_id - security_policy_id = var.security_policy_id - category_id = "4e14219f-6568-4c9d-9bd8-b29ca2afc422" - akamai_bot_category_action = jsonencode( - { - "action" : var.bot_web_search_engine - } - ) -} - -resource "akamai_botman_akamai_bot_category_action" "tfdemo_enterprise_data_aggregator_bots_50395ad2-2673-41a4-b317-9b70742fd40f" { - config_id = var.config_id - security_policy_id = var.security_policy_id - category_id = "50395ad2-2673-41a4-b317-9b70742fd40f" - akamai_bot_category_action = jsonencode( - { - "action" : var.bot_enterprise_data_aggregator - } - ) -} - -resource "akamai_botman_akamai_bot_category_action" "tfdemo_financial_services_bots_53598904-21f5-46b1-8b51-1b991beef73b" { - config_id = var.config_id - security_policy_id = var.security_policy_id - category_id = "53598904-21f5-46b1-8b51-1b991beef73b" - akamai_bot_category_action = jsonencode( - { - "action" : var.bot_financial_services - } - ) -} - -resource "akamai_botman_akamai_bot_category_action" "tfdemo_social_media_or_blog_bots_7035af8d-148c-429a-89da-de41e68c72d8" { - config_id = var.config_id - security_policy_id = var.security_policy_id - category_id = "7035af8d-148c-429a-89da-de41e68c72d8" - akamai_bot_category_action = jsonencode( - { - "action" : var.bot_social_media_or_blog - } - ) -} - -resource "akamai_botman_akamai_bot_category_action" "tfdemo_web_archiver_bots_831ef84a-c2bb-4b0d-b90d-bcd16793b830" { - config_id = var.config_id - security_policy_id = var.security_policy_id - category_id = "831ef84a-c2bb-4b0d-b90d-bcd16793b830" - akamai_bot_category_action = jsonencode( - { - "action" : var.bot_web_archiver - } - ) -} - -resource "akamai_botman_akamai_bot_category_action" "tfdemo_business_intelligence_bots_8a70d29c-a491-4583-9768-7deea2f379c1" { - config_id = var.config_id - security_policy_id = var.security_policy_id - category_id = "8a70d29c-a491-4583-9768-7deea2f379c1" - akamai_bot_category_action = jsonencode( - { - "action" : var.bot_business_intelligence - } - ) -} - -resource "akamai_botman_akamai_bot_category_action" "tfdemo_news_aggregator_bots_ade03247-6519-4591-8458-9b7347004b63" { - config_id = var.config_id - security_policy_id = var.security_policy_id - category_id = "ade03247-6519-4591-8458-9b7347004b63" - akamai_bot_category_action = jsonencode( - { - "action" : var.bot_news_aggregator - } - ) -} - -resource "akamai_botman_akamai_bot_category_action" "tfdemo_rss_feed_reader_bots_b58c9929-9fd0-45f7-86f4-1d6259285c3c" { - config_id = var.config_id - security_policy_id = var.security_policy_id - category_id = "b58c9929-9fd0-45f7-86f4-1d6259285c3c" - akamai_bot_category_action = jsonencode( - { - "action" : var.bot_rss_feed_reader - } - ) -} - -resource "akamai_botman_akamai_bot_category_action" "tfdemo_financial_account_aggregator_bots_c6692e03-d3a8-49b0-9566-5003eeaddbc1" { - config_id = var.config_id - security_policy_id = var.security_policy_id - category_id = "c6692e03-d3a8-49b0-9566-5003eeaddbc1" - akamai_bot_category_action = jsonencode( - { - "action" : var.bot_financial_account_aggregator - } - ) -} - -resource "akamai_botman_akamai_bot_category_action" "tfdemo_media_or_entertainment_search_bots_dff258d5-b1ad-4bbb-b1d1-cf8e700e5bba" { - config_id = var.config_id - security_policy_id = var.security_policy_id - category_id = "dff258d5-b1ad-4bbb-b1d1-cf8e700e5bba" - akamai_bot_category_action = jsonencode( - { - "action" : var.bot_media_or_entertainment_search - } - ) -} - -resource "akamai_botman_akamai_bot_category_action" "tfdemo_seo_analytics_or_marketing_bots_f7558c03-9033-46ce-bbda-10eeda62a5d4" { - config_id = var.config_id - security_policy_id = var.security_policy_id - category_id = "f7558c03-9033-46ce-bbda-10eeda62a5d4" - akamai_bot_category_action = jsonencode( - { - "action" : var.bot_seo_analytics_or_marketing - } - ) -} - -resource "akamai_botman_bot_detection_action" "tfdemo_declared_bots_keyword_match_074df68e-fb28-432a-ac6d-7cfb958425f1" { - config_id = var.config_id - security_policy_id = var.security_policy_id - detection_id = "074df68e-fb28-432a-ac6d-7cfb958425f1" - bot_detection_action = jsonencode( - { - "action" : var.bot_declared_bots_keyword_match - } - ) -} - -resource "akamai_botman_bot_detection_action" "tfdemo_http_libraries_578dad32-024b-48b4-930c-db81831686f4" { - config_id = var.config_id - security_policy_id = var.security_policy_id - detection_id = "578dad32-024b-48b4-930c-db81831686f4" - bot_detection_action = jsonencode( - { - "action" : var.bot_http_libraries - } - ) -} - -resource "akamai_botman_bot_detection_action" "tfdemo_aggressive_web_crawlers_5bc041ad-c840-4202-9c2e-d7fc873dbeaf" { - config_id = var.config_id - security_policy_id = var.security_policy_id - detection_id = "5bc041ad-c840-4202-9c2e-d7fc873dbeaf" - bot_detection_action = jsonencode( - { - "action" : var.bot_aggressive_web_crawlers - } - ) -} - -resource "akamai_botman_bot_detection_action" "tfdemo_open_source_crawlersscraping_platforms_601192ae-f5e2-4a29-8f75-a0bcd3584c2b" { - config_id = var.config_id - security_policy_id = var.security_policy_id - detection_id = "601192ae-f5e2-4a29-8f75-a0bcd3584c2b" - bot_detection_action = jsonencode( - { - "action" : var.bot_open_source_crawlersscraping_platforms - } - ) -} - -resource "akamai_botman_bot_detection_action" "tfdemo_web_services_libraries_872ed6c2-514c-4055-9c44-9782b1c783bf" { - config_id = var.config_id - security_policy_id = var.security_policy_id - detection_id = "872ed6c2-514c-4055-9c44-9782b1c783bf" - bot_detection_action = jsonencode( - { - "action" : var.bot_web_services_libraries - } - ) -} - -resource "akamai_botman_bot_detection_action" "tfdemo_web_scraper_reputation_9712ab32-83bb-43ab-a46d-4c2a5a42e7e2" { - config_id = var.config_id - security_policy_id = var.security_policy_id - detection_id = "9712ab32-83bb-43ab-a46d-4c2a5a42e7e2" - bot_detection_action = jsonencode( - { - "action" : var.bot_web_scraper_reputation, - "webScraperReputationSensitivity" : 4 - } - ) -} - -resource "akamai_botman_bot_detection_action" "tfdemo_browser_impersonator_a3b92f75-fa5d-436e-b066-426fc2919968" { - config_id = var.config_id - security_policy_id = var.security_policy_id - detection_id = "a3b92f75-fa5d-436e-b066-426fc2919968" - bot_detection_action = jsonencode( - { - "action" : var.bot_browser_impersonator - } - ) -} - -resource "akamai_botman_bot_detection_action" "tfdemo_headless_browsersautomation_tools_b88cba13-4d11-46fe-a7e0-b47e78892dc4" { - config_id = var.config_id - security_policy_id = var.security_policy_id - detection_id = "b88cba13-4d11-46fe-a7e0-b47e78892dc4" - bot_detection_action = jsonencode( - { - "action" : var.bot_headless_browsersautomation_tools - } - ) -} - - -resource "akamai_botman_bot_detection_action" "tfdemo_development_frameworks_da005ad3-8bbb-43c8-a783-d97d1fb71ad2" { - config_id = var.config_id - security_policy_id = var.security_policy_id - detection_id = "da005ad3-8bbb-43c8-a783-d97d1fb71ad2" - bot_detection_action = jsonencode( - { - "action" : var.bot_development_frameworks - } - ) -} - -resource "akamai_botman_bot_detection_action" "tfdemo_impersonators_of_known_bots_fda1ffb9-ef46-4570-929c-7449c0c750f8" { - config_id = var.config_id - security_policy_id = var.security_policy_id - detection_id = "fda1ffb9-ef46-4570-929c-7449c0c750f8" - bot_detection_action = jsonencode( - { - "action" : var.bot_impersonators_of_known_bots - } - ) -} - - - - diff --git a/aap-asm/bot-manager/main.tf b/aap-asm/bot-manager/main.tf deleted file mode 100644 index d28ed21..0000000 --- a/aap-asm/bot-manager/main.tf +++ /dev/null @@ -1,40 +0,0 @@ -/** - * # Onboarding: Application Security Configuration for Bot Manager - * - * The use case for this module is to quickly create a new Application Security Configuration for Bot Manager - * serving a set of hostnames following Akamai Professional Services Best Practices. - * - * Read on to find out which resources are provisioned as part of this - * process, and how to customize! - * - */ - -resource "akamai_botman_bot_management_settings" "bot_manager_bvm" { - count = var.botman_type == "bvm" ? 1 : 0 - config_id = var.config_id - security_policy_id = var.security_policy_id - bot_management_settings = jsonencode( - { - "enableBotManagement" : true - "removeBotManagementCookies" : var.remove_botman_cookies, - "thirdPartyProxyServiceInUse" : var.third_party_proxy - } - ) -} - -resource "akamai_botman_bot_management_settings" "bot_manager_bms" { - count = var.botman_type == "bms" ? 1 : 0 - config_id = var.config_id - security_policy_id = var.security_policy_id - bot_management_settings = jsonencode( - { - "addAkamaiBotHeader" : var.add_akamai_bot_header, - "enableActiveDetections" : var.enable_active_detections, - "enableBotManagement" : true - "enableBrowserValidation" : var.enable_browser_validation, - "removeBotManagementCookies" : var.remove_botman_cookies, - "thirdPartyProxyServiceInUse" : var.third_party_proxy - } - ) -} - diff --git a/aap-asm/bot-manager/variables.tf b/aap-asm/bot-manager/variables.tf deleted file mode 100644 index 5ddd1a5..0000000 --- a/aap-asm/bot-manager/variables.tf +++ /dev/null @@ -1,206 +0,0 @@ -# Global settings -variable "botman_type" { - description = "Chose based on the available entitlement: BVM (Bot Visibility and Management) or BMS (Bot Management Standard)" - type = string - validation { - condition = can(index(["bvm", "bms"], var.botman_type)) - error_message = "Invalid value for Botman Type. Allowed values are bvm or bms." - } -} -variable "config_id" { - description = "Akamai security configuration ID" - type = string -} -variable "security_policy_id" { - description = "Security policy ID" - type = string -} -variable "add_akamai_bot_header" { - description = "Adds a header named Akamai-Bot to bot request forwarded to the origin. The header contains details like: bot type, Botnet ID, action, detection method, and bot score details, if applicable" - type = bool - default = false -} -variable "enable_active_detections" { - description = "These methods interact with the requesting client using a combination of JavaScript and cookies to try to confirm that the request comes from a human using a real web browser" - type = bool - default = false -} -variable "enable_browser_validation" { - description = "Confirm that requests come from a browser. Enable use browser validation detection anywhere you expect browsers to visit the URL" - type = bool - default = false -} -variable "remove_botman_cookies" { - description = "Remove Bot Manager cookies before sending request to origin" - type = bool -} -variable "third_party_proxy" { - description = "If you use a third-party proxy service between two Akamai Edge servers for things like A/B testing, content translation, or content adaption engines, turn this on to improve detection accuracy" - type = bool -} - - -# Bot Active Detections Actions -variable "bot_cookie_integrity_failed" { - description = "Bot Active Detections Actions: Cookie Integrity Failed " - type = string - default = "alert" -} -variable "bot_session_validation" { - description = "Bot Active Detections Actions: Session Validation " - type = string - default = "alert" -} -variable "bot_client_disabled_javascript_noscript_triggered" { - description = "Bot Active Detections Actions: Client Disabled JavaScript (Noscript Triggered)" - type = string - default = "alert" -} -variable "bot_javascript_fingerprint_anomaly" { - description = "Bot Active Detections Actions: JavaScript Fingerprint Anomaly" - type = string - default = "alert" -} -variable "bot_javascript_fingerprint_not_received" { - description = "Bot Active Detections Actions: JavaScript Fingerprint Not Received" - type = string - default = "alert" -} -# Bot Category Actions -variable "bot_site_monitoring_and_web_development" { - description = "Action for Akamai Bot Category: Site Monitoring and Web Development Bots" - type = string - default = "alert" -} -variable "bot_academic_or_research" { - description = "Action for Akamai Bot Category: Academic or Research Bots" - type = string - default = "alert" -} -variable "bot_job_search_engine" { - description = "Action for Akamai Bot Category: Job Search Engine Bots" - type = string - default = "alert" -} -variable "bot_artificial_intelligence_ai" { - description = "Action for Akamai Bot Category: Artificial Intelligence (AI) Bots" - type = string - default = "alert" -} -variable "bot_online_advertising" { - description = "Action for Akamai Bot Category: Online Advertising Bots" - type = string - default = "alert" -} -variable "bot_ecommerce_search_engine" { - description = "Action for Akamai Bot Category: E-Commerce Search Engine Bots" - type = string - default = "alert" -} -variable "bot_web_search_engine" { - description = "Action for Akamai Bot Category: Web Search Engine Bots" - type = string - default = "alert" -} -variable "bot_enterprise_data_aggregator" { - description = "Action for Akamai Bot Category: Enterprise Data Aggregator Bots" - type = string - default = "alert" -} -variable "bot_financial_services" { - description = "Action for Akamai Bot Category: Financial Services Bots" - type = string - default = "alert" -} -variable "bot_social_media_or_blog" { - description = "Action for Akamai Bot Category: Social Media or Blog Bots" - type = string - default = "alert" -} -variable "bot_web_archiver" { - description = "Action for Akamai Bot Category: Web Archiver Bots" - type = string - default = "alert" -} -variable "bot_business_intelligence" { - description = "Action for Akamai Bot Category: Business Intelligence Bots" - type = string - default = "alert" -} -variable "bot_news_aggregator" { - description = "Action for Akamai Bot Category: News Aggregator Bots" - type = string - default = "alert" -} -variable "bot_rss_feed_reader" { - description = "Action for Akamai Bot Category: RSS Feed Reader Bots" - type = string - default = "alert" -} -variable "bot_financial_account_aggregator" { - description = "Action for Akamai Bot Category: Financial Account Aggregator Bots" - type = string - default = "alert" -} -variable "bot_media_or_entertainment_search" { - description = "Action for Akamai Bot Category: Media or Entertainment Search Bots" - type = string - default = "alert" -} -variable "bot_seo_analytics_or_marketing" { - description = "Action for Akamai Bot Category: SEO, Analytics or Marketing Bots" - type = string - default = "alert" -} - -# Bot Transparent Detections Actions -variable "bot_impersonators_of_known_bots" { - description = "Action for Bot Transparent Detections: Impersonators of Known Bots " - type = string - default = "alert" -} -variable "bot_development_frameworks" { - description = "Action for Bot Transparent Detections: Development Frameworks " - type = string - default = "alert" -} -variable "bot_http_libraries" { - description = "Action for Bot Transparent Detections: HTTP Libraries " - type = string - default = "alert" -} -variable "bot_web_services_libraries" { - description = "Action for Bot Transparent Detections: Web Services Libraries " - type = string - default = "alert" -} -variable "bot_open_source_crawlersscraping_platforms" { - description = "Action for Bot Transparent Detections: Open Source Crawlers/Scraping Platforms " - type = string - default = "alert" -} -variable "bot_headless_browsersautomation_tools" { - description = "Action for Bot Transparent Detections: Headless Browsers/Automation Tools" - type = string - default = "alert" -} -variable "bot_declared_bots_keyword_match" { - description = "Action for Bot Transparent Detections: Declared Bots (Keyword Match) " - type = string - default = "alert" -} -variable "bot_aggressive_web_crawlers" { - description = "Action for Bot Transparent Detections: Aggressive Web Crawlers" - type = string - default = "alert" -} -variable "bot_browser_impersonator" { - description = "Action for Bot Transparent Detections: Browser Impersonator" - type = string - default = "alert" -} -variable "bot_web_scraper_reputation" { - description = "Action for Bot Transparent Detections: Web Scraper Reputation " - type = string - default = "alert" -} \ No newline at end of file diff --git a/aap-asm/bot-manager/versions.tf b/aap-asm/bot-manager/versions.tf deleted file mode 100644 index 1bc6ce4..0000000 --- a/aap-asm/bot-manager/versions.tf +++ /dev/null @@ -1,10 +0,0 @@ -terraform { - required_providers { - akamai = { - source = "akamai/akamai" - version = "~> 9.0" - } - } - required_version = ">= 1.9.0" - -} diff --git a/aap-asm/client-lists/README.md b/aap-asm/client-lists/README.md index 55ebaec..8dcd1a7 100644 --- a/aap-asm/client-lists/README.md +++ b/aap-asm/client-lists/README.md @@ -20,8 +20,6 @@ module "example" { config_name = contract_id = group_id = - notification_emails = - version_notes = } ``` @@ -36,8 +34,6 @@ module "example" { | Name | Type | |------|------| -| [akamai_clientlist_activation.client-lists-rcbypass-list_production](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/clientlist_activation) | resource | -| [akamai_clientlist_activation.client-lists-rcbypass-list_staging](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/clientlist_activation) | resource | | [akamai_clientlist_list.client-lists-geoblock-list](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/clientlist_list) | resource | | [akamai_clientlist_list.client-lists-ipblock](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/clientlist_list) | resource | | [akamai_clientlist_list.client-lists-ipblock-list-exceptions](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/clientlist_list) | resource | @@ -58,8 +54,6 @@ No modules. | [config\_name](#input\_config\_name) | Security configuration name | `string` | n/a | yes | | [contract\_id](#input\_contract\_id) | Akamai Contract ID | `string` | n/a | yes | | [group\_id](#input\_group\_id) | Akamai Group ID | `string` | n/a | yes | -| [notification\_emails](#input\_notification\_emails) | List or emails for notifications | `list(string)` | n/a | yes | -| [version\_notes](#input\_version\_notes) | Notes for the version | `string` | n/a | yes | ## Outputs diff --git a/aap-asm/client-lists/activate.tf b/aap-asm/client-lists/activate.tf index d0a8b92..e69de29 100644 --- a/aap-asm/client-lists/activate.tf +++ b/aap-asm/client-lists/activate.tf @@ -1,18 +0,0 @@ -# Activating the rate control bypass list as terraform requires that the list be active before using in rate policies -resource "akamai_clientlist_activation" "client-lists-rcbypass-list_staging" { - list_id = akamai_clientlist_list.client-lists-rcbypass-list.id - version = akamai_clientlist_list.client-lists-rcbypass-list.version - network = "STAGING" - comments = var.version_notes - notification_recipients = var.notification_emails -} - -# For now the activation to production is disabled -resource "akamai_clientlist_activation" "client-lists-rcbypass-list_production" { - count = 0 - list_id = akamai_clientlist_list.client-lists-rcbypass-list.id - version = akamai_clientlist_list.client-lists-rcbypass-list.version - network = "PRODUCTION" - comments = var.version_notes - notification_recipients = var.notification_emails -} \ No newline at end of file diff --git a/aap-asm/client-lists/main.tf b/aap-asm/client-lists/main.tf index 9dd7464..e4a131a 100644 --- a/aap-asm/client-lists/main.tf +++ b/aap-asm/client-lists/main.tf @@ -36,6 +36,15 @@ resource "akamai_clientlist_list" "client-lists-geoblock-list" { group_id = var.group_id } +resource "akamai_clientlist_list" "client-lists-asnblock-list" { + name = "${var.client_lists_prefix}-ASN Block List" + type = "ASN" + notes = "ASN Block List for ${var.config_name}" + tags = [] + contract_id = var.contract_id + group_id = var.group_id +} + resource "akamai_clientlist_list" "client-lists-securitybypass-list" { name = "${var.client_lists_prefix}-Security Bypass List" type = "IP" @@ -62,12 +71,3 @@ resource "akamai_clientlist_list" "client-lists-pragmabypass-list" { contract_id = var.contract_id group_id = var.group_id } - -resource "akamai_clientlist_list" "client-lists-reputationbypass-list" { - name = "${var.client_lists_prefix}-Reputation Bypass List" - type = "IP" - notes = "Reputation Bypass List for ${var.config_name}" - tags = [] - contract_id = var.contract_id - group_id = var.group_id -} diff --git a/aap-asm/client-lists/outputs.tf b/aap-asm/client-lists/outputs.tf index 1c7e6f8..9582c32 100644 --- a/aap-asm/client-lists/outputs.tf +++ b/aap-asm/client-lists/outputs.tf @@ -13,6 +13,11 @@ output "client_lists_geoblock_id" { value = [akamai_clientlist_list.client-lists-geoblock-list.id] } +output "client_lists_asnblock_id" { + description = "ID for the ASN Block Client List" + value = [akamai_clientlist_list.client-lists-asnblock-list.id] +} + output "client_lists_securitybypass_id" { description = "ID for the Security Bypass Client List" value = [akamai_clientlist_list.client-lists-securitybypass-list.id] @@ -27,8 +32,3 @@ output "client_lists_pragmabypass_id" { description = "ID for the Pragma Bypass Client List" value = [akamai_clientlist_list.client-lists-pragmabypass-list.id] } - -output "client_lists_reputationbypass_id" { - description = "ID for the reputation Bypass Client List" - value = [akamai_clientlist_list.client-lists-reputationbypass-list.id] -} \ No newline at end of file diff --git a/aap-asm/client-lists/variables.tf b/aap-asm/client-lists/variables.tf index 102c137..d0bdc63 100644 --- a/aap-asm/client-lists/variables.tf +++ b/aap-asm/client-lists/variables.tf @@ -19,12 +19,3 @@ variable "client_lists_prefix" { type = string } -variable "version_notes" { - description = "Notes for the version" - type = string -} - -variable "notification_emails" { - description = "List or emails for notifications" - type = list(string) -} \ No newline at end of file diff --git a/aap-asm/client-lists/versions.tf b/aap-asm/client-lists/versions.tf index 1bc6ce4..ee48df1 100644 --- a/aap-asm/client-lists/versions.tf +++ b/aap-asm/client-lists/versions.tf @@ -2,7 +2,7 @@ terraform { required_providers { akamai = { source = "akamai/akamai" - version = "~> 9.0" + version = "~> 10.1" } } required_version = ">= 1.9.0" diff --git a/aap-asm/client-reputation/README.md b/aap-asm/client-reputation/README.md deleted file mode 100644 index 4164572..0000000 --- a/aap-asm/client-reputation/README.md +++ /dev/null @@ -1,121 +0,0 @@ - - -# Onboarding: Application Security Configuration for Client Reputation - -The use case for this module is to quickly create a new Application Security Configuration for Client Reputation -serving a set of hostnames following Akamai Professional Services Best Practices. - -Read on to find out which resources are provisioned as part of this -process, and how to customize! - -# Usage -Basic usage of this module is as follows: - -```hcl -module "example" { - source = "" - - # Required variables - client_lists_reputationbypass = - config_id = - security_policy_id = - - # Optional variables - rep_dos_attackers_high = | default: "alert" - rep_dos_attackers_high_shared = | default: "alert" - rep_dos_attackers_low = | default: "alert" - rep_dos_attackers_low_shared = | default: "alert" - rep_scanning_tools_high = | default: "alert" - rep_scanning_tools_high_shared = | default: "alert" - rep_scanning_tools_low = | default: "alert" - rep_scanning_tools_low_shared = | default: "alert" - rep_web_attackers_high = | default: "alert" - rep_web_attackers_high_shared = | default: "alert" - rep_web_attackers_low = | default: "alert" - rep_web_attackers_low_shared = | default: "alert" - rep_web_scrapers_high = | default: "alert" - rep_web_scrapers_high_shared = | default: "alert" - rep_web_scrapers_low = | default: "alert" - rep_web_scrapers_low_shared = | default: "alert" -} - ``` - -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.9.0 | -| [akamai](#requirement\_akamai) | ~> 9.0 | -| [time](#requirement\_time) | ~> 0.13 | - -## Resources - -| Name | Type | -|------|------| -| [akamai_appsec_reputation_profile.dos_attackers_high_threat](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile) | resource | -| [akamai_appsec_reputation_profile.dos_attackers_high_threat_shared](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile) | resource | -| [akamai_appsec_reputation_profile.dos_attackers_low_threat](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile) | resource | -| [akamai_appsec_reputation_profile.dos_attackers_low_threat_shared](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile) | resource | -| [akamai_appsec_reputation_profile.scanning_tools_high_threat](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile) | resource | -| [akamai_appsec_reputation_profile.scanning_tools_high_threat_shared](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile) | resource | -| [akamai_appsec_reputation_profile.scanning_tools_low_threat](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile) | resource | -| [akamai_appsec_reputation_profile.scanning_tools_low_threat_shared](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile) | resource | -| [akamai_appsec_reputation_profile.web_attackers_high_threat](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile) | resource | -| [akamai_appsec_reputation_profile.web_attackers_high_threat_shared](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile) | resource | -| [akamai_appsec_reputation_profile.web_attackers_low_threat](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile) | resource | -| [akamai_appsec_reputation_profile.web_attackers_low_threat_shared](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile) | resource | -| [akamai_appsec_reputation_profile.web_scrapers_high_threat](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile) | resource | -| [akamai_appsec_reputation_profile.web_scrapers_high_threat_shared](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile) | resource | -| [akamai_appsec_reputation_profile.web_scrapers_low_threat](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile) | resource | -| [akamai_appsec_reputation_profile.web_scrapers_low_threat_shared](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile) | resource | -| [akamai_appsec_reputation_profile_action.dos_attackers_high_threat](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile_action) | resource | -| [akamai_appsec_reputation_profile_action.dos_attackers_high_threat_shared](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile_action) | resource | -| [akamai_appsec_reputation_profile_action.dos_attackers_low_threat](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile_action) | resource | -| [akamai_appsec_reputation_profile_action.dos_attackers_low_threat_shared](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile_action) | resource | -| [akamai_appsec_reputation_profile_action.scanning_tools_high_threat](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile_action) | resource | -| [akamai_appsec_reputation_profile_action.scanning_tools_high_threat_shared](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile_action) | resource | -| [akamai_appsec_reputation_profile_action.scanning_tools_low_threat](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile_action) | resource | -| [akamai_appsec_reputation_profile_action.scanning_tools_low_threat_shared](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile_action) | resource | -| [akamai_appsec_reputation_profile_action.web_attackers_high_threat](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile_action) | resource | -| [akamai_appsec_reputation_profile_action.web_attackers_high_threat_shared](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile_action) | resource | -| [akamai_appsec_reputation_profile_action.web_attackers_low_threat](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile_action) | resource | -| [akamai_appsec_reputation_profile_action.web_attackers_low_threat_shared](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile_action) | resource | -| [akamai_appsec_reputation_profile_action.web_scrapers_high_threat](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile_action) | resource | -| [akamai_appsec_reputation_profile_action.web_scrapers_high_threat_shared](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile_action) | resource | -| [akamai_appsec_reputation_profile_action.web_scrapers_low_threat](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile_action) | resource | -| [akamai_appsec_reputation_profile_action.web_scrapers_low_threat_shared](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile_action) | resource | -| [akamai_appsec_reputation_protection.tfdemo](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_protection) | resource | -| [time_sleep.wait_cr](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | - -## Modules - -No modules. - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [client\_lists\_reputationbypass](#input\_client\_lists\_reputationbypass) | ID(s) for the Reputation Bypass Client List | `list(string)` | n/a | yes | -| [config\_id](#input\_config\_id) | Akamai security configuration ID | `string` | n/a | yes | -| [security\_policy\_id](#input\_security\_policy\_id) | Security policy ID | `string` | n/a | yes | -| [rep\_dos\_attackers\_high](#input\_rep\_dos\_attackers\_high) | Action for Reputation Profile: DoS Attackers (High Threat) NON-SHARED IPs | `string` | `"alert"` | no | -| [rep\_dos\_attackers\_high\_shared](#input\_rep\_dos\_attackers\_high\_shared) | Action for Reputation Profile: DoS Attackers (High Threat) SHARED IPs | `string` | `"alert"` | no | -| [rep\_dos\_attackers\_low](#input\_rep\_dos\_attackers\_low) | Action for Reputation Profile: DoS Attackers (Low Threat) NON-SHARED IPs | `string` | `"alert"` | no | -| [rep\_dos\_attackers\_low\_shared](#input\_rep\_dos\_attackers\_low\_shared) | Action for Reputation Profile: DoS Attackers (Low Threat) SHARED IPs | `string` | `"alert"` | no | -| [rep\_scanning\_tools\_high](#input\_rep\_scanning\_tools\_high) | Action for Reputation Profile: Scanning Tools (High Threat) NON-SHARED IPs | `string` | `"alert"` | no | -| [rep\_scanning\_tools\_high\_shared](#input\_rep\_scanning\_tools\_high\_shared) | Action for Reputation Profile: Scanning Tools (High Threat) SHARED IPs | `string` | `"alert"` | no | -| [rep\_scanning\_tools\_low](#input\_rep\_scanning\_tools\_low) | Action for Reputation Profile: Scanning Tools (Low Threat) NON-SHARED IPs | `string` | `"alert"` | no | -| [rep\_scanning\_tools\_low\_shared](#input\_rep\_scanning\_tools\_low\_shared) | Action for Reputation Profile: Scanning Tools (Low Threat) SHARED IPs | `string` | `"alert"` | no | -| [rep\_web\_attackers\_high](#input\_rep\_web\_attackers\_high) | Action for Reputation Profile: Web Attackers (High Threat) NON-SHARED IPs | `string` | `"alert"` | no | -| [rep\_web\_attackers\_high\_shared](#input\_rep\_web\_attackers\_high\_shared) | Action for Reputation Profile: Web Attackers (High Threat) SHARED IPs | `string` | `"alert"` | no | -| [rep\_web\_attackers\_low](#input\_rep\_web\_attackers\_low) | Action for Reputation Profile: Web Attackers (Low Threat) NON-SHARED IPs | `string` | `"alert"` | no | -| [rep\_web\_attackers\_low\_shared](#input\_rep\_web\_attackers\_low\_shared) | Action for Reputation Profile: Web Attackers (Low Threat) SHARED IPs | `string` | `"alert"` | no | -| [rep\_web\_scrapers\_high](#input\_rep\_web\_scrapers\_high) | Action for Reputation Profile: Web Scrapers (High Threat) NON-SHARED IPs | `string` | `"alert"` | no | -| [rep\_web\_scrapers\_high\_shared](#input\_rep\_web\_scrapers\_high\_shared) | Action for Reputation Profile: Web Scrapers (High Threat) SHARED IPs | `string` | `"alert"` | no | -| [rep\_web\_scrapers\_low](#input\_rep\_web\_scrapers\_low) | Action for Reputation Profile: Web Scrapers (Low Threat) NON-SHARED IPs | `string` | `"alert"` | no | -| [rep\_web\_scrapers\_low\_shared](#input\_rep\_web\_scrapers\_low\_shared) | Action for Reputation Profile: Web Scrapers (Low Threat) SHARED IPs | `string` | `"alert"` | no | - -## Outputs - -No outputs. - \ No newline at end of file diff --git a/aap-asm/client-reputation/main.tf b/aap-asm/client-reputation/main.tf deleted file mode 100644 index 3ed5b34..0000000 --- a/aap-asm/client-reputation/main.tf +++ /dev/null @@ -1,16 +0,0 @@ -/** - * # Onboarding: Application Security Configuration for Client Reputation - * - * The use case for this module is to quickly create a new Application Security Configuration for Client Reputation - * serving a set of hostnames following Akamai Professional Services Best Practices. - * - * Read on to find out which resources are provisioned as part of this - * process, and how to customize! - * - */ - -resource "akamai_appsec_reputation_protection" "tfdemo" { - config_id = var.config_id - security_policy_id = var.security_policy_id - enabled = true -} diff --git a/aap-asm/client-reputation/reputation-actions.tf b/aap-asm/client-reputation/reputation-actions.tf deleted file mode 100644 index cd375c7..0000000 --- a/aap-asm/client-reputation/reputation-actions.tf +++ /dev/null @@ -1,125 +0,0 @@ -/* - Web Attackers -*/ -resource "akamai_appsec_reputation_profile_action" "web_attackers_high_threat" { - config_id = var.config_id - security_policy_id = var.security_policy_id - reputation_profile_id = akamai_appsec_reputation_profile.web_attackers_high_threat.reputation_profile_id - action = var.rep_web_attackers_high -} - -resource "akamai_appsec_reputation_profile_action" "web_attackers_high_threat_shared" { - config_id = var.config_id - security_policy_id = var.security_policy_id - reputation_profile_id = akamai_appsec_reputation_profile.web_attackers_high_threat_shared.reputation_profile_id - action = var.rep_web_attackers_high_shared -} - -resource "akamai_appsec_reputation_profile_action" "web_attackers_low_threat" { - config_id = var.config_id - security_policy_id = var.security_policy_id - reputation_profile_id = akamai_appsec_reputation_profile.web_attackers_low_threat.reputation_profile_id - action = var.rep_web_attackers_low -} - -resource "akamai_appsec_reputation_profile_action" "web_attackers_low_threat_shared" { - config_id = var.config_id - security_policy_id = var.security_policy_id - reputation_profile_id = akamai_appsec_reputation_profile.web_attackers_low_threat_shared.reputation_profile_id - action = var.rep_web_attackers_low_shared -} - -/* - DoS Attackers -*/ -resource "akamai_appsec_reputation_profile_action" "dos_attackers_high_threat" { - config_id = var.config_id - security_policy_id = var.security_policy_id - reputation_profile_id = akamai_appsec_reputation_profile.dos_attackers_high_threat.reputation_profile_id - action = var.rep_dos_attackers_high -} - -resource "akamai_appsec_reputation_profile_action" "dos_attackers_high_threat_shared" { - config_id = var.config_id - security_policy_id = var.security_policy_id - reputation_profile_id = akamai_appsec_reputation_profile.dos_attackers_high_threat_shared.reputation_profile_id - action = var.rep_dos_attackers_high_shared -} - -resource "akamai_appsec_reputation_profile_action" "dos_attackers_low_threat" { - config_id = var.config_id - security_policy_id = var.security_policy_id - reputation_profile_id = akamai_appsec_reputation_profile.dos_attackers_low_threat.reputation_profile_id - action = var.rep_dos_attackers_low -} - -resource "akamai_appsec_reputation_profile_action" "dos_attackers_low_threat_shared" { - config_id = var.config_id - security_policy_id = var.security_policy_id - reputation_profile_id = akamai_appsec_reputation_profile.dos_attackers_low_threat_shared.reputation_profile_id - action = var.rep_dos_attackers_low_shared -} - -/* - Scanning Tools -*/ -resource "akamai_appsec_reputation_profile_action" "scanning_tools_high_threat" { - config_id = var.config_id - security_policy_id = var.security_policy_id - reputation_profile_id = akamai_appsec_reputation_profile.scanning_tools_high_threat.reputation_profile_id - action = var.rep_scanning_tools_high -} - -resource "akamai_appsec_reputation_profile_action" "scanning_tools_high_threat_shared" { - config_id = var.config_id - security_policy_id = var.security_policy_id - reputation_profile_id = akamai_appsec_reputation_profile.scanning_tools_high_threat_shared.reputation_profile_id - action = var.rep_scanning_tools_high_shared -} - -resource "akamai_appsec_reputation_profile_action" "scanning_tools_low_threat" { - config_id = var.config_id - security_policy_id = var.security_policy_id - reputation_profile_id = akamai_appsec_reputation_profile.scanning_tools_low_threat.reputation_profile_id - action = var.rep_scanning_tools_low -} - -resource "akamai_appsec_reputation_profile_action" "scanning_tools_low_threat_shared" { - config_id = var.config_id - security_policy_id = var.security_policy_id - reputation_profile_id = akamai_appsec_reputation_profile.scanning_tools_low_threat_shared.reputation_profile_id - action = var.rep_scanning_tools_low_shared -} - -/* - Web Scrapers -*/ -resource "akamai_appsec_reputation_profile_action" "web_scrapers_low_threat" { - config_id = var.config_id - security_policy_id = var.security_policy_id - reputation_profile_id = akamai_appsec_reputation_profile.web_scrapers_low_threat.reputation_profile_id - action = var.rep_web_scrapers_low -} - -resource "akamai_appsec_reputation_profile_action" "web_scrapers_high_threat_shared" { - config_id = var.config_id - security_policy_id = var.security_policy_id - reputation_profile_id = akamai_appsec_reputation_profile.web_scrapers_high_threat_shared.reputation_profile_id - action = var.rep_web_scrapers_low_shared -} - -resource "akamai_appsec_reputation_profile_action" "web_scrapers_high_threat" { - config_id = var.config_id - security_policy_id = var.security_policy_id - reputation_profile_id = akamai_appsec_reputation_profile.web_scrapers_high_threat.reputation_profile_id - action = var.rep_web_scrapers_high -} - -resource "akamai_appsec_reputation_profile_action" "web_scrapers_low_threat_shared" { - config_id = var.config_id - security_policy_id = var.security_policy_id - reputation_profile_id = akamai_appsec_reputation_profile.web_scrapers_low_threat_shared.reputation_profile_id - action = var.rep_web_scrapers_high_shared -} - - diff --git a/aap-asm/client-reputation/reputation-profiles.tf b/aap-asm/client-reputation/reputation-profiles.tf deleted file mode 100644 index fe7213e..0000000 --- a/aap-asm/client-reputation/reputation-profiles.tf +++ /dev/null @@ -1,424 +0,0 @@ -resource "time_sleep" "wait_cr" { - create_duration = "20s" - depends_on = [akamai_appsec_reputation_protection.tfdemo] -} - -/* - Web Attackers -*/ -resource "akamai_appsec_reputation_profile" "web_attackers_high_threat" { - config_id = var.config_id - reputation_profile = jsonencode( - { - "condition" : { - "atomicConditions" : [ - { - "checkIps" : "connecting", - "className" : "NetworkListCondition", - "index" : 1, - "positiveMatch" : true, - "value" : var.client_lists_reputationbypass - } - ], - "positiveMatch" : false - }, - "context" : "WEBATCK", - "name" : "Web Attackers (High Threat)", - "sharedIpHandling" : "NON_SHARED", - "threshold" : 9 - } - ) - depends_on = [time_sleep.wait_cr] -} - -resource "akamai_appsec_reputation_profile" "web_attackers_high_threat_shared" { - config_id = var.config_id - reputation_profile = jsonencode( - { - "condition" : { - "atomicConditions" : [ - { - "checkIps" : "connecting", - "className" : "NetworkListCondition", - "index" : 1, - "positiveMatch" : true, - "value" : var.client_lists_reputationbypass - } - ], - "positiveMatch" : false - }, - "context" : "WEBATCK", - "name" : "Web Attackers (High Threat) [Shared IPs]", - "sharedIpHandling" : "SHARED_ONLY", - "threshold" : 9 - } - ) - depends_on = [akamai_appsec_reputation_profile.web_attackers_high_threat, - time_sleep.wait_cr] -} - -resource "akamai_appsec_reputation_profile" "web_attackers_low_threat" { - config_id = var.config_id - reputation_profile = jsonencode( - { - "condition" : { - "atomicConditions" : [ - { - "checkIps" : "connecting", - "className" : "NetworkListCondition", - "index" : 1, - "positiveMatch" : true, - "value" : var.client_lists_reputationbypass - } - ], - "positiveMatch" : false - }, - "context" : "WEBATCK", - "name" : "Web Attackers (Low Threat)", - "sharedIpHandling" : "NON_SHARED", - "threshold" : 5 - } - ) - depends_on = [time_sleep.wait_cr] -} - -resource "akamai_appsec_reputation_profile" "web_attackers_low_threat_shared" { - config_id = var.config_id - reputation_profile = jsonencode( - { - "condition" : { - "atomicConditions" : [ - { - "checkIps" : "connecting", - "className" : "NetworkListCondition", - "index" : 1, - "positiveMatch" : true, - "value" : var.client_lists_reputationbypass - } - ], - "positiveMatch" : false - }, - "context" : "WEBATCK", - "name" : "Web Attackers (Low Threat) [Shared IPs]", - "sharedIpHandling" : "SHARED_ONLY", - "threshold" : 7 - } - ) - depends_on = [akamai_appsec_reputation_profile.web_attackers_low_threat, - time_sleep.wait_cr] -} - -/* - DoS Attackers -*/ -resource "akamai_appsec_reputation_profile" "dos_attackers_high_threat" { - config_id = var.config_id - reputation_profile = jsonencode( - { - "condition" : { - "atomicConditions" : [ - { - "checkIps" : "connecting", - "className" : "NetworkListCondition", - "index" : 1, - "positiveMatch" : true, - "value" : var.client_lists_reputationbypass - } - ], - "positiveMatch" : false - }, - "context" : "DOSATCK", - "name" : "DoS Attackers (High Threat)", - "sharedIpHandling" : "NON_SHARED", - "threshold" : 9 - } - ) - depends_on = [time_sleep.wait_cr] -} - -resource "akamai_appsec_reputation_profile" "dos_attackers_high_threat_shared" { - config_id = var.config_id - reputation_profile = jsonencode( - { - "condition" : { - "atomicConditions" : [ - { - "checkIps" : "connecting", - "className" : "NetworkListCondition", - "index" : 1, - "positiveMatch" : true, - "value" : var.client_lists_reputationbypass - } - ], - "positiveMatch" : false - }, - "context" : "DOSATCK", - "name" : "DoS Attackers (High Threat) [Shared IPs]", - "sharedIpHandling" : "SHARED_ONLY", - "threshold" : 9 - } - ) - depends_on = [akamai_appsec_reputation_profile.dos_attackers_high_threat, - time_sleep.wait_cr] -} - -resource "akamai_appsec_reputation_profile" "dos_attackers_low_threat" { - config_id = var.config_id - reputation_profile = jsonencode( - { - "condition" : { - "atomicConditions" : [ - { - "checkIps" : "connecting", - "className" : "NetworkListCondition", - "index" : 1, - "positiveMatch" : true, - "value" : var.client_lists_reputationbypass - } - ], - "positiveMatch" : false - }, - "context" : "DOSATCK", - "name" : "DoS Attackers (Low Threat)", - "sharedIpHandling" : "NON_SHARED", - "threshold" : 5 - } - ) - depends_on = [time_sleep.wait_cr] -} - -resource "akamai_appsec_reputation_profile" "dos_attackers_low_threat_shared" { - config_id = var.config_id - reputation_profile = jsonencode( - { - "condition" : { - "atomicConditions" : [ - { - "checkIps" : "connecting", - "className" : "NetworkListCondition", - "index" : 1, - "positiveMatch" : true, - "value" : var.client_lists_reputationbypass - } - ], - "positiveMatch" : false - }, - "context" : "DOSATCK", - "name" : "DoS Attackers (Low Threat) [Shared IPs]", - "sharedIpHandling" : "SHARED_ONLY", - "threshold" : 7 - } - ) - depends_on = [akamai_appsec_reputation_profile.dos_attackers_low_threat, - time_sleep.wait_cr] -} - -/* - Scanning Tools -*/ -resource "akamai_appsec_reputation_profile" "scanning_tools_high_threat" { - config_id = var.config_id - reputation_profile = jsonencode( - { - "condition" : { - "atomicConditions" : [ - { - "checkIps" : "connecting", - "className" : "NetworkListCondition", - "index" : 1, - "positiveMatch" : true, - "value" : var.client_lists_reputationbypass - } - ], - "positiveMatch" : false - }, - "context" : "SCANTL", - "name" : "Scanning Tools (High Threat)", - "sharedIpHandling" : "NON_SHARED", - "threshold" : 9 - } - ) - depends_on = [time_sleep.wait_cr] -} - -resource "akamai_appsec_reputation_profile" "scanning_tools_high_threat_shared" { - config_id = var.config_id - reputation_profile = jsonencode( - { - "condition" : { - "atomicConditions" : [ - { - "checkIps" : "connecting", - "className" : "NetworkListCondition", - "index" : 1, - "positiveMatch" : true, - "value" : var.client_lists_reputationbypass - } - ], - "positiveMatch" : false - }, - "context" : "SCANTL", - "name" : "Scanning Tools (High Threat) [Shared IPs]", - "sharedIpHandling" : "SHARED_ONLY", - "threshold" : 9 - } - ) - depends_on = [akamai_appsec_reputation_profile.scanning_tools_high_threat, - time_sleep.wait_cr] -} - -resource "akamai_appsec_reputation_profile" "scanning_tools_low_threat" { - config_id = var.config_id - reputation_profile = jsonencode( - { - "condition" : { - "atomicConditions" : [ - { - "checkIps" : "connecting", - "className" : "NetworkListCondition", - "index" : 1, - "positiveMatch" : true, - "value" : var.client_lists_reputationbypass - } - ], - "positiveMatch" : false - }, - "context" : "SCANTL", - "name" : "Scanning Tools (Low Threat)", - "sharedIpHandling" : "NON_SHARED", - "threshold" : 5 - } - ) - depends_on = [time_sleep.wait_cr] -} - -resource "akamai_appsec_reputation_profile" "scanning_tools_low_threat_shared" { - config_id = var.config_id - reputation_profile = jsonencode( - { - "condition" : { - "atomicConditions" : [ - { - "checkIps" : "connecting", - "className" : "NetworkListCondition", - "index" : 1, - "positiveMatch" : true, - "value" : var.client_lists_reputationbypass - } - ], - "positiveMatch" : false - }, - "context" : "SCANTL", - "name" : "Scanning Tools (Low Threat) [Shared IPs]", - "sharedIpHandling" : "SHARED_ONLY", - "threshold" : 7 - } - ) - depends_on = [akamai_appsec_reputation_profile.scanning_tools_low_threat, - time_sleep.wait_cr] -} - -/* - Web Scrapers -*/ -resource "akamai_appsec_reputation_profile" "web_scrapers_high_threat" { - config_id = var.config_id - reputation_profile = jsonencode( - { - "condition" : { - "atomicConditions" : [ - { - "checkIps" : "connecting", - "className" : "NetworkListCondition", - "index" : 1, - "positiveMatch" : true, - "value" : var.client_lists_reputationbypass - } - ], - "positiveMatch" : false - }, - "context" : "WEBSCRP", - "name" : "Web Scrapers (High Threat)", - "sharedIpHandling" : "NON_SHARED", - "threshold" : 9 - } - ) - depends_on = [time_sleep.wait_cr] -} - -resource "akamai_appsec_reputation_profile" "web_scrapers_high_threat_shared" { - config_id = var.config_id - reputation_profile = jsonencode( - { - "condition" : { - "atomicConditions" : [ - { - "checkIps" : "connecting", - "className" : "NetworkListCondition", - "index" : 1, - "positiveMatch" : true, - "value" : var.client_lists_reputationbypass - } - ], - "positiveMatch" : false - }, - "context" : "WEBSCRP", - "name" : "Web Scrapers (High Threat) [Shared IPs]", - "sharedIpHandling" : "SHARED_ONLY", - "threshold" : 9 - } - ) - depends_on = [akamai_appsec_reputation_profile.web_scrapers_high_threat, - time_sleep.wait_cr] -} - -resource "akamai_appsec_reputation_profile" "web_scrapers_low_threat" { - config_id = var.config_id - reputation_profile = jsonencode( - { - "condition" : { - "atomicConditions" : [ - { - "checkIps" : "connecting", - "className" : "NetworkListCondition", - "index" : 1, - "positiveMatch" : true, - "value" : var.client_lists_reputationbypass - } - ], - "positiveMatch" : false - }, - "context" : "WEBSCRP", - "name" : "Web Scrapers (Low Threat)", - "sharedIpHandling" : "NON_SHARED", - "threshold" : 5 - } - ) - depends_on = [time_sleep.wait_cr] -} - -resource "akamai_appsec_reputation_profile" "web_scrapers_low_threat_shared" { - config_id = var.config_id - reputation_profile = jsonencode( - { - "condition" : { - "atomicConditions" : [ - { - "checkIps" : "connecting", - "className" : "NetworkListCondition", - "index" : 1, - "positiveMatch" : true, - "value" : var.client_lists_reputationbypass - } - ], - "positiveMatch" : false - }, - "context" : "WEBSCRP", - "name" : "Web Scrapers (Low Threat) [Shared IPs]", - "sharedIpHandling" : "SHARED_ONLY", - "threshold" : 7 - } - ) - depends_on = [akamai_appsec_reputation_profile.web_scrapers_low_threat, - time_sleep.wait_cr] -} \ No newline at end of file diff --git a/aap-asm/client-reputation/variables.tf b/aap-asm/client-reputation/variables.tf deleted file mode 100644 index 8dc77c3..0000000 --- a/aap-asm/client-reputation/variables.tf +++ /dev/null @@ -1,112 +0,0 @@ -# Global settings -variable "config_id" { - description = "Akamai security configuration ID" - type = string -} -variable "security_policy_id" { - description = "Security policy ID" - type = string -} - -# Bypass List -variable "client_lists_reputationbypass" { - description = "ID(s) for the Reputation Bypass Client List" - type = list(string) -} - -# Client Reputation Actions -variable "rep_web_attackers_high" { - description = "Action for Reputation Profile: Web Attackers (High Threat) NON-SHARED IPs" - type = string - default = "alert" -} - -variable "rep_web_attackers_high_shared" { - description = "Action for Reputation Profile: Web Attackers (High Threat) SHARED IPs" - type = string - default = "alert" -} - -variable "rep_web_attackers_low" { - description = "Action for Reputation Profile: Web Attackers (Low Threat) NON-SHARED IPs" - type = string - default = "alert" -} - -variable "rep_web_attackers_low_shared" { - description = "Action for Reputation Profile: Web Attackers (Low Threat) SHARED IPs" - type = string - default = "alert" -} - -variable "rep_dos_attackers_high" { - description = "Action for Reputation Profile: DoS Attackers (High Threat) NON-SHARED IPs" - type = string - default = "alert" -} - -variable "rep_dos_attackers_high_shared" { - description = "Action for Reputation Profile: DoS Attackers (High Threat) SHARED IPs" - type = string - default = "alert" -} - -variable "rep_dos_attackers_low" { - description = "Action for Reputation Profile: DoS Attackers (Low Threat) NON-SHARED IPs" - type = string - default = "alert" -} - -variable "rep_dos_attackers_low_shared" { - description = "Action for Reputation Profile: DoS Attackers (Low Threat) SHARED IPs" - type = string - default = "alert" -} - -variable "rep_scanning_tools_high" { - description = "Action for Reputation Profile: Scanning Tools (High Threat) NON-SHARED IPs" - type = string - default = "alert" -} - -variable "rep_scanning_tools_high_shared" { - description = "Action for Reputation Profile: Scanning Tools (High Threat) SHARED IPs" - type = string - default = "alert" -} - -variable "rep_scanning_tools_low" { - description = "Action for Reputation Profile: Scanning Tools (Low Threat) NON-SHARED IPs" - type = string - default = "alert" -} - -variable "rep_scanning_tools_low_shared" { - description = "Action for Reputation Profile: Scanning Tools (Low Threat) SHARED IPs" - type = string - default = "alert" -} - -variable "rep_web_scrapers_high" { - description = "Action for Reputation Profile: Web Scrapers (High Threat) NON-SHARED IPs" - type = string - default = "alert" -} - -variable "rep_web_scrapers_high_shared" { - description = "Action for Reputation Profile: Web Scrapers (High Threat) SHARED IPs" - type = string - default = "alert" -} - -variable "rep_web_scrapers_low" { - description = "Action for Reputation Profile: Web Scrapers (Low Threat) NON-SHARED IPs" - type = string - default = "alert" -} - -variable "rep_web_scrapers_low_shared" { - description = "Action for Reputation Profile: Web Scrapers (Low Threat) SHARED IPs" - type = string - default = "alert" -} diff --git a/aap-asm/security-config/.terraform-docs.yaml b/aap-asm/security-config/.terraform-docs.yaml new file mode 100644 index 0000000..d0f90f3 --- /dev/null +++ b/aap-asm/security-config/.terraform-docs.yaml @@ -0,0 +1,68 @@ +header-from: main.tf +footer-from: "" +formatter: markdown table +recursive: + enabled: false + path: "" +content: |- + + {{ .Header }} + + # Usage + Basic usage of this module is as follows: + + ```hcl + module "example" { + {{"\t"}} source = "" + {{- if .Module.RequiredInputs }} + {{"\n\t"}} # Required variables + {{- range .Module.RequiredInputs }} + {{"\t"}} {{ .Name }} = <{{ .Type }}> + {{- end }} + {{- end }} + {{- if .Module.OptionalInputs }} + {{"\n\t"}} # Optional variables + {{- range .Module.OptionalInputs }} + {{"\t"}} {{ .Name }} = <{{ .Type }}> | default: {{ .GetValue | printf "%s" }} + {{- end }} + {{- end }} + } + ``` + + {{ .Requirements }} + + {{ .Resources }} + + {{ .Modules }} + + {{ .Inputs }} + + {{ .Outputs }} + +output: + file: README.md + mode: replace + template: |- + + {{ .Content }} + +output-values: + enabled: false + from: "" +sort: + enabled: true + by: required +settings: + anchor: true + color: true + default: true + description: true + escape: true + hide-empty: false + html: true + indent: 2 + lockfile: true + read-comments: true + required: true + sensitive: true + type: true \ No newline at end of file diff --git a/aap-asm/security-config/README.md b/aap-asm/security-config/README.md new file mode 100644 index 0000000..a0a4b30 --- /dev/null +++ b/aap-asm/security-config/README.md @@ -0,0 +1,114 @@ + + +# Security Configuration (Config-Level) + +Creates and manages the Akamai Application Security configuration, +advanced settings, rate policies, and reputation profiles. +This module is called once per deployment. Individual security policies +are created by the companion `security-policy` module using `for_each`. + +# Usage +Basic usage of this module is as follows: + +```hcl +module "example" { + source = "" + + # Required variables + config_name = + contract_id = + description = + group_name = + hostnames = + version_notes = + + # Optional variables + client_lists_pragmabypass = | default: [] + client_lists_rcbypass = | default: [] + client_lists_reputationbypass = | default: [] + client_lists_securitybypass = | default: [] + enable_client_reputation = | default: false + inspection_size = | default: 32 +} + ``` + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.9.0 | +| [akamai](#requirement\_akamai) | ~> 9.0 | +| [random](#requirement\_random) | ~> 3.7 | +| [time](#requirement\_time) | ~> 0.13 | + +## Resources + +| Name | Type | +|------|------| +| [akamai_appsec_advanced_settings_attack_payload_logging.attack_payload_logging](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_advanced_settings_attack_payload_logging) | resource | +| [akamai_appsec_advanced_settings_evasive_path_match.evasive_path_match](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_advanced_settings_evasive_path_match) | resource | +| [akamai_appsec_advanced_settings_logging.logging](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_advanced_settings_logging) | resource | +| [akamai_appsec_advanced_settings_pii_learning.pii_learning](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_advanced_settings_pii_learning) | resource | +| [akamai_appsec_advanced_settings_pragma_header.pragma_header](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_advanced_settings_pragma_header) | resource | +| [akamai_appsec_advanced_settings_prefetch.prefetch](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_advanced_settings_prefetch) | resource | +| [akamai_appsec_advanced_settings_request_body.config_settings](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_advanced_settings_request_body) | resource | +| [akamai_appsec_configuration.config](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_configuration) | resource | +| [akamai_appsec_rate_policy.origin_error](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_rate_policy) | resource | +| [akamai_appsec_rate_policy.page_view_requests](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_rate_policy) | resource | +| [akamai_appsec_rate_policy.post_page_requests](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_rate_policy) | resource | +| [akamai_appsec_reputation_profile.dos_attackers_high_threat](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile) | resource | +| [akamai_appsec_reputation_profile.dos_attackers_high_threat_shared](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile) | resource | +| [akamai_appsec_reputation_profile.dos_attackers_low_threat](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile) | resource | +| [akamai_appsec_reputation_profile.dos_attackers_low_threat_shared](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile) | resource | +| [akamai_appsec_reputation_profile.scanning_tools_high_threat](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile) | resource | +| [akamai_appsec_reputation_profile.scanning_tools_high_threat_shared](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile) | resource | +| [akamai_appsec_reputation_profile.scanning_tools_low_threat](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile) | resource | +| [akamai_appsec_reputation_profile.scanning_tools_low_threat_shared](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile) | resource | +| [akamai_appsec_reputation_profile.web_attackers_high_threat](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile) | resource | +| [akamai_appsec_reputation_profile.web_attackers_high_threat_shared](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile) | resource | +| [akamai_appsec_reputation_profile.web_attackers_low_threat](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile) | resource | +| [akamai_appsec_reputation_profile.web_attackers_low_threat_shared](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile) | resource | +| [akamai_appsec_reputation_profile.web_scrapers_high_threat](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile) | resource | +| [akamai_appsec_reputation_profile.web_scrapers_high_threat_shared](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile) | resource | +| [akamai_appsec_reputation_profile.web_scrapers_low_threat](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile) | resource | +| [akamai_appsec_reputation_profile.web_scrapers_low_threat_shared](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile) | resource | +| [akamai_appsec_version_notes.version_notes](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_version_notes) | resource | +| [random_string.secret_header](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | +| [time_sleep.wait1](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | +| [time_sleep.wait2](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | +| [time_sleep.wait_cr](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | +| [akamai_clientlist_lists.all](https://registry.terraform.io/providers/akamai/akamai/latest/docs/data-sources/clientlist_lists) | data source | +| [akamai_group.group](https://registry.terraform.io/providers/akamai/akamai/latest/docs/data-sources/group) | data source | + +## Modules + +No modules. + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [config\_name](#input\_config\_name) | Security configuration name | `string` | n/a | yes | +| [contract\_id](#input\_contract\_id) | Akamai Contract ID | `string` | n/a | yes | +| [description](#input\_description) | Security configuration description | `string` | n/a | yes | +| [group\_name](#input\_group\_name) | Akamai Group Name | `string` | n/a | yes | +| [hostnames](#input\_hostnames) | All hostnames to protect by the security config | `list(string)` | n/a | yes | +| [version\_notes](#input\_version\_notes) | Notes for the configuration version | `string` | n/a | yes | +| [client\_lists\_pragmabypass](#input\_client\_lists\_pragmabypass) | ID(s) for the Pragma Bypass Client List | `list(string)` | `[]` | no | +| [client\_lists\_rcbypass](#input\_client\_lists\_rcbypass) | ID(s) for the Rate Control Bypass Client List | `list(string)` | `[]` | no | +| [client\_lists\_reputationbypass](#input\_client\_lists\_reputationbypass) | ID(s) for the Reputation Bypass Client List | `list(string)` | `[]` | no | +| [client\_lists\_securitybypass](#input\_client\_lists\_securitybypass) | ID(s) for the Security Bypass Client List | `list(string)` | `[]` | no | +| [enable\_client\_reputation](#input\_enable\_client\_reputation) | Enable Client Reputation profiles at config level | `bool` | `false` | no | +| [inspection\_size](#input\_inspection\_size) | Request body inspection limit | `number` | `32` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [bypass\_network\_lists](#output\_bypass\_network\_lists) | Bypass network lists with ID and name | +| [config\_id](#output\_config\_id) | Security Configuration ID | +| [rate\_policy\_origin\_error\_id](#output\_rate\_policy\_origin\_error\_id) | Rate Policy ID for Origin Error | +| [rate\_policy\_page\_view\_requests\_id](#output\_rate\_policy\_page\_view\_requests\_id) | Rate Policy ID for Page View Requests | +| [rate\_policy\_post\_page\_requests\_id](#output\_rate\_policy\_post\_page\_requests\_id) | Rate Policy ID for POST Page Requests | +| [reputation\_profile\_ids](#output\_reputation\_profile\_ids) | Map of reputation profile IDs | + \ No newline at end of file diff --git a/aap-asm/security/advanced.tf b/aap-asm/security-config/advanced.tf similarity index 82% rename from aap-asm/security/advanced.tf rename to aap-asm/security-config/advanced.tf index 694e97c..45f772a 100644 --- a/aap-asm/security/advanced.tf +++ b/aap-asm/security-config/advanced.tf @@ -1,4 +1,3 @@ -# Random string for enabling pragma headers resource "random_string" "secret_header" { length = 20 lower = true @@ -9,8 +8,6 @@ resource "random_string" "secret_header" { min_special = "1" } - -// Global Advanced resource "akamai_appsec_advanced_settings_evasive_path_match" "evasive_path_match" { config_id = akamai_appsec_configuration.config.config_id enable_path_match = true @@ -100,15 +97,3 @@ resource "akamai_appsec_advanced_settings_pragma_header" "pragma_header" { } ) } - -# // Override advanced settings on the policy level by add the below line, -# // security_policy_id = akamai_appsec_security_policy.tfdemo.security_policy_id -# // Where tfdemo is the reference name of the policy created, different policies will have different reference name - -# resource "akamai_appsec_advanced_settings_evasive_path_match" "tfdemo" { -# config_id = akamai_appsec_configuration.config.config_id -# security_policy_id = akamai_appsec_security_policy.tfdemo.security_policy_id -# enable_path_match = false -# } - - diff --git a/aap-asm/security-config/client-lists-data.tf b/aap-asm/security-config/client-lists-data.tf new file mode 100644 index 0000000..24aba2b --- /dev/null +++ b/aap-asm/security-config/client-lists-data.tf @@ -0,0 +1,15 @@ +data "akamai_clientlist_lists" "all" { +} + +locals { + all_lists = { + for list in data.akamai_clientlist_lists.all.lists : list.list_id => list + } + + bypass_network_lists = [ + for id in var.client_lists_securitybypass : { + "id" = id + "name" = lookup(local.all_lists, id, { name = "Unknown" }).name + } + ] +} diff --git a/aap-asm/security/main.tf b/aap-asm/security-config/main.tf similarity index 59% rename from aap-asm/security/main.tf rename to aap-asm/security-config/main.tf index b3f5c3f..2505f7f 100644 --- a/aap-asm/security/main.tf +++ b/aap-asm/security-config/main.tf @@ -1,11 +1,10 @@ /** - * # Onboarding: Application Security Configuration + * # Security Configuration (Config-Level) * - * The use case for this module is to quickly create a new Application Security configuration - * serving a set of hostnames following Akamai Professional Services Best Practices. - * - * Read on to find out which resources are provisioned as part of this - * process, and how to customize! + * Creates and manages the Akamai Application Security configuration, + * advanced settings, rate policies, and reputation profiles. + * This module is called once per deployment. Individual security policies + * are created by the companion `security-policy` module using `for_each`. * */ @@ -25,4 +24,4 @@ resource "akamai_appsec_configuration" "config" { resource "akamai_appsec_version_notes" "version_notes" { config_id = akamai_appsec_configuration.config.config_id version_notes = var.version_notes -} \ No newline at end of file +} diff --git a/aap-asm/security-config/outputs.tf b/aap-asm/security-config/outputs.tf new file mode 100644 index 0000000..1a7d9ff --- /dev/null +++ b/aap-asm/security-config/outputs.tf @@ -0,0 +1,51 @@ +output "config_id" { + value = akamai_appsec_configuration.config.config_id + description = "Security Configuration ID" +} + +output "config_name" { + value = akamai_appsec_configuration.config.name + description = "Security Configuration name (referencing this output defers by-name lookups until the config exists)" +} + +output "rate_policy_origin_error_id" { + value = akamai_appsec_rate_policy.origin_error.rate_policy_id + description = "Rate Policy ID for Origin Error" +} + +output "rate_policy_post_page_requests_id" { + value = akamai_appsec_rate_policy.post_page_requests.rate_policy_id + description = "Rate Policy ID for POST Page Requests" +} + +output "rate_policy_page_view_requests_id" { + value = akamai_appsec_rate_policy.page_view_requests.rate_policy_id + description = "Rate Policy ID for Page View Requests" +} + +output "reputation_profile_ids" { + description = "Map of reputation profile IDs" + value = var.enable_client_reputation ? { + web_attackers_high_threat = try(akamai_appsec_reputation_profile.web_attackers_high_threat[0].reputation_profile_id, null) + web_attackers_high_threat_shared = try(akamai_appsec_reputation_profile.web_attackers_high_threat_shared[0].reputation_profile_id, null) + web_attackers_low_threat = try(akamai_appsec_reputation_profile.web_attackers_low_threat[0].reputation_profile_id, null) + web_attackers_low_threat_shared = try(akamai_appsec_reputation_profile.web_attackers_low_threat_shared[0].reputation_profile_id, null) + dos_attackers_high_threat = try(akamai_appsec_reputation_profile.dos_attackers_high_threat[0].reputation_profile_id, null) + dos_attackers_high_threat_shared = try(akamai_appsec_reputation_profile.dos_attackers_high_threat_shared[0].reputation_profile_id, null) + dos_attackers_low_threat = try(akamai_appsec_reputation_profile.dos_attackers_low_threat[0].reputation_profile_id, null) + dos_attackers_low_threat_shared = try(akamai_appsec_reputation_profile.dos_attackers_low_threat_shared[0].reputation_profile_id, null) + scanning_tools_high_threat = try(akamai_appsec_reputation_profile.scanning_tools_high_threat[0].reputation_profile_id, null) + scanning_tools_high_threat_shared = try(akamai_appsec_reputation_profile.scanning_tools_high_threat_shared[0].reputation_profile_id, null) + scanning_tools_low_threat = try(akamai_appsec_reputation_profile.scanning_tools_low_threat[0].reputation_profile_id, null) + scanning_tools_low_threat_shared = try(akamai_appsec_reputation_profile.scanning_tools_low_threat_shared[0].reputation_profile_id, null) + web_scrapers_high_threat = try(akamai_appsec_reputation_profile.web_scrapers_high_threat[0].reputation_profile_id, null) + web_scrapers_high_threat_shared = try(akamai_appsec_reputation_profile.web_scrapers_high_threat_shared[0].reputation_profile_id, null) + web_scrapers_low_threat = try(akamai_appsec_reputation_profile.web_scrapers_low_threat[0].reputation_profile_id, null) + web_scrapers_low_threat_shared = try(akamai_appsec_reputation_profile.web_scrapers_low_threat_shared[0].reputation_profile_id, null) + } : {} +} + +output "bypass_network_lists" { + value = local.bypass_network_lists + description = "Bypass network lists with ID and name" +} diff --git a/aap-asm/security/rate-policies.tf b/aap-asm/security-config/rate-policies.tf similarity index 72% rename from aap-asm/security/rate-policies.tf rename to aap-asm/security-config/rate-policies.tf index 8454e27..3921e9f 100644 --- a/aap-asm/security/rate-policies.tf +++ b/aap-asm/security-config/rate-policies.tf @@ -34,19 +34,21 @@ resource "akamai_appsec_rate_policy" "origin_error" { ], "averageThreshold" : 5, "burstThreshold" : 8, + "burstWindow" : 5, "clientIdentifiers" : ["ip"], + "counterType" : "region_aggregated", "description" : "An excessive error rate from the origin could indicate malicious activity by a bot scanning the site or a publishing error. In both cases, this would increase the origin traffic and could potentially destabilize it.", "matchType" : "path", "name" : "Origin Error", "pathMatchType" : "Custom", "pathUriPositiveMatch" : true, + "penaltyBoxDuration" : "TEN_MINUTES", "requestType" : "ForwardResponse", "sameActionOnIpv6" : true, "type" : "WAF", "useXForwardForHeaders" : false } ) - depends_on = [akamai_appsec_security_policy.tfdemo] } resource "time_sleep" "wait1" { @@ -75,12 +77,15 @@ resource "akamai_appsec_rate_policy" "post_page_requests" { ], "averageThreshold" : 3, "burstThreshold" : 5, + "burstWindow" : 5, "clientIdentifiers" : ["ip"], + "counterType" : "region_aggregated", "description" : "Mitigating HTTP flood attacks using POST requests", "matchType" : "path", "name" : "POST and PUT Page Requests", "pathMatchType" : "Custom", "pathUriPositiveMatch" : true, + "penaltyBoxDuration" : "TEN_MINUTES", "requestType" : "ClientRequest", "sameActionOnIpv6" : true, "type" : "WAF", @@ -116,94 +121,24 @@ resource "akamai_appsec_rate_policy" "page_view_requests" { ], "averageThreshold" : 12, "burstThreshold" : 18, + "burstWindow" : 5, "clientIdentifiers" : ["ip"], + "counterType" : "region_aggregated", + "penaltyBoxDuration" : "TEN_MINUTES", "description" : "A popular brute force attack that consists of sending a large number of requests for base page, HTML page or XHR requests (usually non-cacheable). This could destabilize the origin.", "fileExtensions" : { "positiveMatch" : false, "values" : [ - "aif", - "aiff", - "au", - "avi", - "bin", - "bmp", - "cab", - "carb", - "cct", - "cdf", - "class", - "css", - "csv", - "dcr", - "doc", - "docx", - "dtd", - "ejs", - "ejss", - "eot", - "eps", - "exe", - "flv", - "gcf", - "gff", - "gif", - "grv", - "hdml", - "hdp", - "hqx", - "ico", - "ini", - "jar", - "jp2", - "jpeg", - "jpg", - "js", - "jxr", - "mid", - "midi", - "mov", - "mp3", - "mp4", - "nc", - "ogv", - "otc", - "otf", - "pct", - "pdf", - "pict", - "pls", - "png", - "ppc", - "ppt", - "pptx", - "ps", - "pws", - "svg", - "svgz", - "swa", - "swf", - "tif", - "tiff", - "ttc", - "ttf", - "txt", - "vbs", - "w32", - "wav", - "wbmp", - "wdp", - "webm", - "webp", - "wml", - "wmlc", - "wmls", - "wmlsc", - "woff", - "woff2", - "xls", - "xlsx", - "xsd", - "zip" + "aif", "aiff", "au", "avi", "bin", "bmp", "cab", "carb", "cct", + "cdf", "class", "css", "csv", "dcr", "doc", "docx", "dtd", "ejs", + "ejss", "eot", "eps", "exe", "flv", "gcf", "gff", "gif", "grv", + "hdml", "hdp", "hqx", "ico", "ini", "jar", "jp2", "jpeg", "jpg", + "js", "jxr", "mid", "midi", "mov", "mp3", "mp4", "nc", "ogv", + "otc", "otf", "pct", "pdf", "pict", "pls", "png", "ppc", "ppt", + "pptx", "ps", "pws", "svg", "svgz", "swa", "swf", "tif", "tiff", + "ttc", "ttf", "txt", "vbs", "w32", "wav", "wbmp", "wdp", "webm", + "webp", "wml", "wmlc", "wmls", "wmlsc", "woff", "woff2", "xls", + "xlsx", "xsd", "zip" ] }, "matchType" : "path", diff --git a/aap-asm/security-config/reputation-profiles.tf b/aap-asm/security-config/reputation-profiles.tf new file mode 100644 index 0000000..383ba91 --- /dev/null +++ b/aap-asm/security-config/reputation-profiles.tf @@ -0,0 +1,201 @@ +resource "time_sleep" "wait_cr" { + count = var.enable_client_reputation ? 1 : 0 + create_duration = "20s" + depends_on = [akamai_appsec_configuration.config] +} + +# Web Attackers +resource "akamai_appsec_reputation_profile" "web_attackers_high_threat" { + count = var.enable_client_reputation ? 1 : 0 + config_id = akamai_appsec_configuration.config.config_id + reputation_profile = jsonencode({ + "context" : "WEBATCK", + "name" : "Web Attackers (High Threat)", + "sharedIpHandling" : "NON_SHARED", + "threshold" : 9 + }) + depends_on = [time_sleep.wait_cr] +} + +resource "akamai_appsec_reputation_profile" "web_attackers_high_threat_shared" { + count = var.enable_client_reputation ? 1 : 0 + config_id = akamai_appsec_configuration.config.config_id + reputation_profile = jsonencode({ + "context" : "WEBATCK", + "name" : "Web Attackers (High Threat) [Shared IPs]", + "sharedIpHandling" : "SHARED_ONLY", + "threshold" : 9 + }) + depends_on = [akamai_appsec_reputation_profile.web_attackers_high_threat, time_sleep.wait_cr] +} + +resource "akamai_appsec_reputation_profile" "web_attackers_low_threat" { + count = var.enable_client_reputation ? 1 : 0 + config_id = akamai_appsec_configuration.config.config_id + reputation_profile = jsonencode({ + "context" : "WEBATCK", + "name" : "Web Attackers (Low Threat)", + "sharedIpHandling" : "NON_SHARED", + "threshold" : 5 + }) + depends_on = [time_sleep.wait_cr] +} + +resource "akamai_appsec_reputation_profile" "web_attackers_low_threat_shared" { + count = var.enable_client_reputation ? 1 : 0 + config_id = akamai_appsec_configuration.config.config_id + reputation_profile = jsonencode({ + "context" : "WEBATCK", + "name" : "Web Attackers (Low Threat) [Shared IPs]", + "sharedIpHandling" : "SHARED_ONLY", + "threshold" : 7 + }) + depends_on = [akamai_appsec_reputation_profile.web_attackers_low_threat, time_sleep.wait_cr] +} + +# DoS Attackers +resource "akamai_appsec_reputation_profile" "dos_attackers_high_threat" { + count = var.enable_client_reputation ? 1 : 0 + config_id = akamai_appsec_configuration.config.config_id + reputation_profile = jsonencode({ + "context" : "DOSATCK", + "name" : "DoS Attackers (High Threat)", + "sharedIpHandling" : "NON_SHARED", + "threshold" : 9 + }) + depends_on = [time_sleep.wait_cr] +} + +resource "akamai_appsec_reputation_profile" "dos_attackers_high_threat_shared" { + count = var.enable_client_reputation ? 1 : 0 + config_id = akamai_appsec_configuration.config.config_id + reputation_profile = jsonencode({ + "context" : "DOSATCK", + "name" : "DoS Attackers (High Threat) [Shared IPs]", + "sharedIpHandling" : "SHARED_ONLY", + "threshold" : 9 + }) + depends_on = [akamai_appsec_reputation_profile.dos_attackers_high_threat, time_sleep.wait_cr] +} + +resource "akamai_appsec_reputation_profile" "dos_attackers_low_threat" { + count = var.enable_client_reputation ? 1 : 0 + config_id = akamai_appsec_configuration.config.config_id + reputation_profile = jsonencode({ + "context" : "DOSATCK", + "name" : "DoS Attackers (Low Threat)", + "sharedIpHandling" : "NON_SHARED", + "threshold" : 5 + }) + depends_on = [time_sleep.wait_cr] +} + +resource "akamai_appsec_reputation_profile" "dos_attackers_low_threat_shared" { + count = var.enable_client_reputation ? 1 : 0 + config_id = akamai_appsec_configuration.config.config_id + reputation_profile = jsonencode({ + "context" : "DOSATCK", + "name" : "DoS Attackers (Low Threat) [Shared IPs]", + "sharedIpHandling" : "SHARED_ONLY", + "threshold" : 7 + }) + depends_on = [akamai_appsec_reputation_profile.dos_attackers_low_threat, time_sleep.wait_cr] +} + +# Scanning Tools +resource "akamai_appsec_reputation_profile" "scanning_tools_high_threat" { + count = var.enable_client_reputation ? 1 : 0 + config_id = akamai_appsec_configuration.config.config_id + reputation_profile = jsonencode({ + "context" : "SCANTL", + "name" : "Scanning Tools (High Threat)", + "sharedIpHandling" : "NON_SHARED", + "threshold" : 9 + }) + depends_on = [time_sleep.wait_cr] +} + +resource "akamai_appsec_reputation_profile" "scanning_tools_high_threat_shared" { + count = var.enable_client_reputation ? 1 : 0 + config_id = akamai_appsec_configuration.config.config_id + reputation_profile = jsonencode({ + "context" : "SCANTL", + "name" : "Scanning Tools (High Threat) [Shared IPs]", + "sharedIpHandling" : "SHARED_ONLY", + "threshold" : 9 + }) + depends_on = [akamai_appsec_reputation_profile.scanning_tools_high_threat, time_sleep.wait_cr] +} + +resource "akamai_appsec_reputation_profile" "scanning_tools_low_threat" { + count = var.enable_client_reputation ? 1 : 0 + config_id = akamai_appsec_configuration.config.config_id + reputation_profile = jsonencode({ + "context" : "SCANTL", + "name" : "Scanning Tools (Low Threat)", + "sharedIpHandling" : "NON_SHARED", + "threshold" : 5 + }) + depends_on = [time_sleep.wait_cr] +} + +resource "akamai_appsec_reputation_profile" "scanning_tools_low_threat_shared" { + count = var.enable_client_reputation ? 1 : 0 + config_id = akamai_appsec_configuration.config.config_id + reputation_profile = jsonencode({ + "context" : "SCANTL", + "name" : "Scanning Tools (Low Threat) [Shared IPs]", + "sharedIpHandling" : "SHARED_ONLY", + "threshold" : 7 + }) + depends_on = [akamai_appsec_reputation_profile.scanning_tools_low_threat, time_sleep.wait_cr] +} + +# Web Scrapers +resource "akamai_appsec_reputation_profile" "web_scrapers_high_threat" { + count = var.enable_client_reputation ? 1 : 0 + config_id = akamai_appsec_configuration.config.config_id + reputation_profile = jsonencode({ + "context" : "WEBSCRP", + "name" : "Web Scrapers (High Threat)", + "sharedIpHandling" : "NON_SHARED", + "threshold" : 9 + }) + depends_on = [time_sleep.wait_cr] +} + +resource "akamai_appsec_reputation_profile" "web_scrapers_high_threat_shared" { + count = var.enable_client_reputation ? 1 : 0 + config_id = akamai_appsec_configuration.config.config_id + reputation_profile = jsonencode({ + "context" : "WEBSCRP", + "name" : "Web Scrapers (High Threat) [Shared IPs]", + "sharedIpHandling" : "SHARED_ONLY", + "threshold" : 9 + }) + depends_on = [akamai_appsec_reputation_profile.web_scrapers_high_threat, time_sleep.wait_cr] +} + +resource "akamai_appsec_reputation_profile" "web_scrapers_low_threat" { + count = var.enable_client_reputation ? 1 : 0 + config_id = akamai_appsec_configuration.config.config_id + reputation_profile = jsonencode({ + "context" : "WEBSCRP", + "name" : "Web Scrapers (Low Threat)", + "sharedIpHandling" : "NON_SHARED", + "threshold" : 5 + }) + depends_on = [time_sleep.wait_cr] +} + +resource "akamai_appsec_reputation_profile" "web_scrapers_low_threat_shared" { + count = var.enable_client_reputation ? 1 : 0 + config_id = akamai_appsec_configuration.config.config_id + reputation_profile = jsonencode({ + "context" : "WEBSCRP", + "name" : "Web Scrapers (Low Threat) [Shared IPs]", + "sharedIpHandling" : "SHARED_ONLY", + "threshold" : 7 + }) + depends_on = [akamai_appsec_reputation_profile.web_scrapers_low_threat, time_sleep.wait_cr] +} diff --git a/aap-asm/security-config/variables.tf b/aap-asm/security-config/variables.tf new file mode 100644 index 0000000..68bbe22 --- /dev/null +++ b/aap-asm/security-config/variables.tf @@ -0,0 +1,66 @@ +variable "contract_id" { + description = "Akamai Contract ID" + type = string +} + +variable "group_name" { + description = "Akamai Group Name" + type = string +} + +variable "config_name" { + description = "Security configuration name" + type = string +} + +variable "description" { + description = "Security configuration description" + type = string +} + +variable "hostnames" { + description = "All hostnames to protect by the security config" + type = list(string) + + validation { + condition = alltrue([ + for h in var.hostnames : h == lower(h) + ]) + error_message = "All hostnames must be lowercase." + } +} + +variable "version_notes" { + description = "Notes for the configuration version" + type = string +} + +variable "inspection_size" { + description = "Request body inspection limit" + type = number + default = 32 +} + +variable "client_lists_rcbypass" { + description = "ID(s) for the Rate Control Bypass Client List" + type = list(string) + default = [] +} + +variable "client_lists_pragmabypass" { + description = "ID(s) for the Pragma Bypass Client List" + type = list(string) + default = [] +} + +variable "client_lists_securitybypass" { + description = "ID(s) for the Security Bypass Client List" + type = list(string) + default = [] +} + +variable "enable_client_reputation" { + description = "Enable Client Reputation profiles at config level" + type = bool + default = false +} diff --git a/aap-asm/security/versions.tf b/aap-asm/security-config/versions.tf similarity index 91% rename from aap-asm/security/versions.tf rename to aap-asm/security-config/versions.tf index 008b193..3fa8c90 100644 --- a/aap-asm/security/versions.tf +++ b/aap-asm/security-config/versions.tf @@ -2,7 +2,7 @@ terraform { required_providers { akamai = { source = "akamai/akamai" - version = "~> 9.0" + version = "~> 10.1" } random = { source = "hashicorp/random" @@ -14,5 +14,4 @@ terraform { } } required_version = ">= 1.9.0" - } diff --git a/aap-asm/security-policy/.terraform-docs.yaml b/aap-asm/security-policy/.terraform-docs.yaml new file mode 100644 index 0000000..d0f90f3 --- /dev/null +++ b/aap-asm/security-policy/.terraform-docs.yaml @@ -0,0 +1,68 @@ +header-from: main.tf +footer-from: "" +formatter: markdown table +recursive: + enabled: false + path: "" +content: |- + + {{ .Header }} + + # Usage + Basic usage of this module is as follows: + + ```hcl + module "example" { + {{"\t"}} source = "" + {{- if .Module.RequiredInputs }} + {{"\n\t"}} # Required variables + {{- range .Module.RequiredInputs }} + {{"\t"}} {{ .Name }} = <{{ .Type }}> + {{- end }} + {{- end }} + {{- if .Module.OptionalInputs }} + {{"\n\t"}} # Optional variables + {{- range .Module.OptionalInputs }} + {{"\t"}} {{ .Name }} = <{{ .Type }}> | default: {{ .GetValue | printf "%s" }} + {{- end }} + {{- end }} + } + ``` + + {{ .Requirements }} + + {{ .Resources }} + + {{ .Modules }} + + {{ .Inputs }} + + {{ .Outputs }} + +output: + file: README.md + mode: replace + template: |- + + {{ .Content }} + +output-values: + enabled: false + from: "" +sort: + enabled: true + by: required +settings: + anchor: true + color: true + default: true + description: true + escape: true + hide-empty: false + html: true + indent: 2 + lockfile: true + read-comments: true + required: true + sensitive: true + type: true \ No newline at end of file diff --git a/aap-asm/security-policy/README.md b/aap-asm/security-policy/README.md new file mode 100644 index 0000000..b5629f2 --- /dev/null +++ b/aap-asm/security-policy/README.md @@ -0,0 +1,308 @@ + + +# Security Policy (Per-Policy) + +Creates a single security policy within an existing Akamai Application Security +configuration, including all protection settings, WAF rules, DoS protections, +client reputation actions, and bot manager actions. + +This module is designed to be called with `for_each` to create multiple +policies per security configuration. + +# Usage +Basic usage of this module is as follows: + +```hcl +module "example" { + source = "" + + # Required variables + config_id = + hostnames = + match_target_sequence = + policy_name = + policy_prefix = + rate_policy_origin_error_id = + rate_policy_page_view_requests_id = + rate_policy_post_page_requests_id = + + # Optional variables + add_akamai_bot_header = | default: false + bot_academic_or_research = | default: "alert" + bot_aggressive_web_crawlers = | default: "alert" + bot_artificial_intelligence_ai = | default: "alert" + bot_browser_impersonator = | default: "alert" + bot_business_intelligence = | default: "alert" + bot_client_disabled_javascript_noscript_triggered = | default: "alert" + bot_cookie_integrity_failed = | default: "alert" + bot_declared_bots_keyword_match = | default: "alert" + bot_development_frameworks = | default: "alert" + bot_ecommerce_search_engine = | default: "alert" + bot_enterprise_data_aggregator = | default: "alert" + bot_financial_account_aggregator = | default: "alert" + bot_financial_services = | default: "alert" + bot_headless_browsersautomation_tools = | default: "alert" + bot_http_libraries = | default: "alert" + bot_impersonators_of_known_bots = | default: "alert" + bot_javascript_fingerprint_anomaly = | default: "alert" + bot_javascript_fingerprint_not_received = | default: "alert" + bot_job_search_engine = | default: "alert" + bot_media_or_entertainment_search = | default: "alert" + bot_news_aggregator = | default: "alert" + bot_online_advertising = | default: "alert" + bot_open_source_crawlersscraping_platforms = | default: "alert" + bot_rss_feed_reader = | default: "alert" + bot_seo_analytics_or_marketing = | default: "alert" + bot_session_validation = | default: "alert" + bot_site_monitoring_and_web_development = | default: "alert" + bot_social_media_or_blog = | default: "alert" + bot_web_archiver = | default: "alert" + bot_web_scraper_reputation = | default: "alert" + bot_web_search_engine = | default: "alert" + bot_web_services_libraries = | default: "alert" + botman_type = | default: "bvm" + bypass_network_lists = | default: [] + client_lists_exception_ipblock = | default: [] + client_lists_geoblock = | default: [] + client_lists_ipblock = | default: [] + dos_origin_error_action = | default: "alert" + dos_page_view_requests_action = | default: "alert" + dos_post_page_requests_action = | default: "alert" + enable_active_detections = | default: false + enable_botman = | default: false + enable_browser_validation = | default: false + enable_client_reputation = | default: false + enable_ip_geo = | default: true + enable_malware = | default: false + enable_rate = | default: true + enable_request_constraints = | default: false + enable_slow_post = | default: true + enable_waf = | default: true + penalty_box_action = | default: "alert" + remove_botman_cookies = | default: true + rep_dos_attackers_high = | default: "alert" + rep_dos_attackers_high_shared = | default: "alert" + rep_dos_attackers_low = | default: "none" + rep_dos_attackers_low_shared = | default: "none" + rep_scanning_tools_high = | default: "alert" + rep_scanning_tools_high_shared = | default: "alert" + rep_scanning_tools_low = | default: "none" + rep_scanning_tools_low_shared = | default: "none" + rep_web_attackers_high = | default: "alert" + rep_web_attackers_high_shared = | default: "alert" + rep_web_attackers_low = | default: "none" + rep_web_attackers_low_shared = | default: "none" + rep_web_scrapers_high = | default: "alert" + rep_web_scrapers_high_shared = | default: "alert" + rep_web_scrapers_low = | default: "none" + rep_web_scrapers_low_shared = | default: "none" + reputation_profile_ids = | default: {} + slow_post_action = | default: "alert" + third_party_proxy = | default: false + waf_cmd_action = | default: "alert" + waf_lfi_action = | default: "alert" + waf_platform_action = | default: "alert" + waf_policy_action = | default: "alert" + waf_protocol_action = | default: "alert" + waf_rfi_action = | default: "alert" + waf_sql_action = | default: "alert" + waf_wat_action = | default: "alert" + waf_xss_action = | default: "alert" +} + ``` + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.9.0 | +| [akamai](#requirement\_akamai) | ~> 9.0 | +| [time](#requirement\_time) | ~> 0.13 | + +## Resources + +| Name | Type | +|------|------| +| [akamai_appsec_api_constraints_protection.this](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_api_constraints_protection) | resource | +| [akamai_appsec_attack_group.CMD](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_attack_group) | resource | +| [akamai_appsec_attack_group.LFI](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_attack_group) | resource | +| [akamai_appsec_attack_group.PLATFORM](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_attack_group) | resource | +| [akamai_appsec_attack_group.POLICY](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_attack_group) | resource | +| [akamai_appsec_attack_group.PROTOCOL](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_attack_group) | resource | +| [akamai_appsec_attack_group.RFI](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_attack_group) | resource | +| [akamai_appsec_attack_group.SQL](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_attack_group) | resource | +| [akamai_appsec_attack_group.WAT](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_attack_group) | resource | +| [akamai_appsec_attack_group.XSS](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_attack_group) | resource | +| [akamai_appsec_ip_geo.this](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_ip_geo) | resource | +| [akamai_appsec_ip_geo_protection.this](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_ip_geo_protection) | resource | +| [akamai_appsec_malware_protection.this](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_malware_protection) | resource | +| [akamai_appsec_match_target.this](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_match_target) | resource | +| [akamai_appsec_penalty_box.this](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_penalty_box) | resource | +| [akamai_appsec_rate_policy_action.origin_error](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_rate_policy_action) | resource | +| [akamai_appsec_rate_policy_action.page_view_requests](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_rate_policy_action) | resource | +| [akamai_appsec_rate_policy_action.post_page_requests](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_rate_policy_action) | resource | +| [akamai_appsec_rate_protection.this](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_rate_protection) | resource | +| [akamai_appsec_reputation_profile_action.dos_attackers_high_threat](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile_action) | resource | +| [akamai_appsec_reputation_profile_action.dos_attackers_high_threat_shared](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile_action) | resource | +| [akamai_appsec_reputation_profile_action.dos_attackers_low_threat](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile_action) | resource | +| [akamai_appsec_reputation_profile_action.dos_attackers_low_threat_shared](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile_action) | resource | +| [akamai_appsec_reputation_profile_action.scanning_tools_high_threat](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile_action) | resource | +| [akamai_appsec_reputation_profile_action.scanning_tools_high_threat_shared](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile_action) | resource | +| [akamai_appsec_reputation_profile_action.scanning_tools_low_threat](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile_action) | resource | +| [akamai_appsec_reputation_profile_action.scanning_tools_low_threat_shared](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile_action) | resource | +| [akamai_appsec_reputation_profile_action.web_attackers_high_threat](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile_action) | resource | +| [akamai_appsec_reputation_profile_action.web_attackers_high_threat_shared](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile_action) | resource | +| [akamai_appsec_reputation_profile_action.web_attackers_low_threat](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile_action) | resource | +| [akamai_appsec_reputation_profile_action.web_attackers_low_threat_shared](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile_action) | resource | +| [akamai_appsec_reputation_profile_action.web_scrapers_high_threat](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile_action) | resource | +| [akamai_appsec_reputation_profile_action.web_scrapers_high_threat_shared](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile_action) | resource | +| [akamai_appsec_reputation_profile_action.web_scrapers_low_threat](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile_action) | resource | +| [akamai_appsec_reputation_profile_action.web_scrapers_low_threat_shared](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_profile_action) | resource | +| [akamai_appsec_reputation_protection.this](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_reputation_protection) | resource | +| [akamai_appsec_security_policy.this](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_security_policy) | resource | +| [akamai_appsec_slow_post.this](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_slow_post) | resource | +| [akamai_appsec_slowpost_protection.this](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_slowpost_protection) | resource | +| [akamai_appsec_waf_mode.this](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_waf_mode) | resource | +| [akamai_appsec_waf_protection.this](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_waf_protection) | resource | +| [akamai_botman_akamai_bot_category_action.academic_or_research](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_akamai_bot_category_action) | resource | +| [akamai_botman_akamai_bot_category_action.artificial_intelligence_ai](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_akamai_bot_category_action) | resource | +| [akamai_botman_akamai_bot_category_action.business_intelligence](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_akamai_bot_category_action) | resource | +| [akamai_botman_akamai_bot_category_action.ecommerce_search_engine](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_akamai_bot_category_action) | resource | +| [akamai_botman_akamai_bot_category_action.enterprise_data_aggregator](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_akamai_bot_category_action) | resource | +| [akamai_botman_akamai_bot_category_action.financial_account_aggregator](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_akamai_bot_category_action) | resource | +| [akamai_botman_akamai_bot_category_action.financial_services](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_akamai_bot_category_action) | resource | +| [akamai_botman_akamai_bot_category_action.job_search_engine](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_akamai_bot_category_action) | resource | +| [akamai_botman_akamai_bot_category_action.media_or_entertainment_search](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_akamai_bot_category_action) | resource | +| [akamai_botman_akamai_bot_category_action.news_aggregator](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_akamai_bot_category_action) | resource | +| [akamai_botman_akamai_bot_category_action.online_advertising](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_akamai_bot_category_action) | resource | +| [akamai_botman_akamai_bot_category_action.rss_feed_reader](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_akamai_bot_category_action) | resource | +| [akamai_botman_akamai_bot_category_action.seo_analytics_or_marketing](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_akamai_bot_category_action) | resource | +| [akamai_botman_akamai_bot_category_action.site_monitoring_and_web_development](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_akamai_bot_category_action) | resource | +| [akamai_botman_akamai_bot_category_action.social_media_or_blog](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_akamai_bot_category_action) | resource | +| [akamai_botman_akamai_bot_category_action.web_archiver](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_akamai_bot_category_action) | resource | +| [akamai_botman_akamai_bot_category_action.web_search_engine](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_akamai_bot_category_action) | resource | +| [akamai_botman_bot_detection_action.aggressive_web_crawlers](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_bot_detection_action) | resource | +| [akamai_botman_bot_detection_action.browser_impersonator](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_bot_detection_action) | resource | +| [akamai_botman_bot_detection_action.client_disabled_javascript_noscript_triggered](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_bot_detection_action) | resource | +| [akamai_botman_bot_detection_action.cookie_integrity_failed](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_bot_detection_action) | resource | +| [akamai_botman_bot_detection_action.declared_bots_keyword_match](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_bot_detection_action) | resource | +| [akamai_botman_bot_detection_action.development_frameworks](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_bot_detection_action) | resource | +| [akamai_botman_bot_detection_action.headless_browsersautomation_tools](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_bot_detection_action) | resource | +| [akamai_botman_bot_detection_action.http_libraries](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_bot_detection_action) | resource | +| [akamai_botman_bot_detection_action.impersonators_of_known_bots](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_bot_detection_action) | resource | +| [akamai_botman_bot_detection_action.javascript_fingerprint_anomaly](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_bot_detection_action) | resource | +| [akamai_botman_bot_detection_action.javascript_fingerprint_not_received](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_bot_detection_action) | resource | +| [akamai_botman_bot_detection_action.open_source_crawlersscraping_platforms](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_bot_detection_action) | resource | +| [akamai_botman_bot_detection_action.session_validation](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_bot_detection_action) | resource | +| [akamai_botman_bot_detection_action.web_scraper_reputation](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_bot_detection_action) | resource | +| [akamai_botman_bot_detection_action.web_services_libraries](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_bot_detection_action) | resource | +| [akamai_botman_bot_management_settings.bot_manager_bms](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_bot_management_settings) | resource | +| [akamai_botman_bot_management_settings.bot_manager_bvm](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/botman_bot_management_settings) | resource | + +## Modules + +No modules. + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [config\_id](#input\_config\_id) | Akamai security configuration ID | `number` | n/a | yes | +| [hostnames](#input\_hostnames) | List of hostnames this policy protects | `list(string)` | n/a | yes | +| [match\_target\_sequence](#input\_match\_target\_sequence) | Sequence number for the match target (must be unique per policy) | `number` | n/a | yes | +| [policy\_name](#input\_policy\_name) | Name for the security policy | `string` | n/a | yes | +| [policy\_prefix](#input\_policy\_prefix) | Four-character alphanumeric prefix for the security policy | `string` | n/a | yes | +| [rate\_policy\_origin\_error\_id](#input\_rate\_policy\_origin\_error\_id) | Rate policy ID for origin error | `number` | n/a | yes | +| [rate\_policy\_page\_view\_requests\_id](#input\_rate\_policy\_page\_view\_requests\_id) | Rate policy ID for page view requests | `number` | n/a | yes | +| [rate\_policy\_post\_page\_requests\_id](#input\_rate\_policy\_post\_page\_requests\_id) | Rate policy ID for POST page requests | `number` | n/a | yes | +| [add\_akamai\_bot\_header](#input\_add\_akamai\_bot\_header) | Adds a header named Akamai-Bot to bot requests forwarded to the origin (BMS only) | `bool` | `false` | no | +| [bot\_academic\_or\_research](#input\_bot\_academic\_or\_research) | Action for Akamai bot category: Academic or Research Bots | `string` | `"alert"` | no | +| [bot\_aggressive\_web\_crawlers](#input\_bot\_aggressive\_web\_crawlers) | Action for bot transparent detection: Aggressive Web Crawlers | `string` | `"alert"` | no | +| [bot\_artificial\_intelligence\_ai](#input\_bot\_artificial\_intelligence\_ai) | Action for Akamai bot category: Artificial Intelligence (AI) Bots | `string` | `"alert"` | no | +| [bot\_browser\_impersonator](#input\_bot\_browser\_impersonator) | Action for bot transparent detection: Browser Impersonator | `string` | `"alert"` | no | +| [bot\_business\_intelligence](#input\_bot\_business\_intelligence) | Action for Akamai bot category: Business Intelligence Bots | `string` | `"alert"` | no | +| [bot\_client\_disabled\_javascript\_noscript\_triggered](#input\_bot\_client\_disabled\_javascript\_noscript\_triggered) | Bot active detection action: Client Disabled JavaScript (Noscript Triggered) | `string` | `"alert"` | no | +| [bot\_cookie\_integrity\_failed](#input\_bot\_cookie\_integrity\_failed) | Bot active detection action: Cookie Integrity Failed | `string` | `"alert"` | no | +| [bot\_declared\_bots\_keyword\_match](#input\_bot\_declared\_bots\_keyword\_match) | Action for bot transparent detection: Declared Bots (Keyword Match) | `string` | `"alert"` | no | +| [bot\_development\_frameworks](#input\_bot\_development\_frameworks) | Action for bot transparent detection: Development Frameworks | `string` | `"alert"` | no | +| [bot\_ecommerce\_search\_engine](#input\_bot\_ecommerce\_search\_engine) | Action for Akamai bot category: E-Commerce Search Engine Bots | `string` | `"alert"` | no | +| [bot\_enterprise\_data\_aggregator](#input\_bot\_enterprise\_data\_aggregator) | Action for Akamai bot category: Enterprise Data Aggregator Bots | `string` | `"alert"` | no | +| [bot\_financial\_account\_aggregator](#input\_bot\_financial\_account\_aggregator) | Action for Akamai bot category: Financial Account Aggregator Bots | `string` | `"alert"` | no | +| [bot\_financial\_services](#input\_bot\_financial\_services) | Action for Akamai bot category: Financial Services Bots | `string` | `"alert"` | no | +| [bot\_headless\_browsersautomation\_tools](#input\_bot\_headless\_browsersautomation\_tools) | Action for bot transparent detection: Headless Browsers/Automation Tools | `string` | `"alert"` | no | +| [bot\_http\_libraries](#input\_bot\_http\_libraries) | Action for bot transparent detection: HTTP Libraries | `string` | `"alert"` | no | +| [bot\_impersonators\_of\_known\_bots](#input\_bot\_impersonators\_of\_known\_bots) | Action for bot transparent detection: Impersonators of Known Bots | `string` | `"alert"` | no | +| [bot\_javascript\_fingerprint\_anomaly](#input\_bot\_javascript\_fingerprint\_anomaly) | Bot active detection action: JavaScript Fingerprint Anomaly | `string` | `"alert"` | no | +| [bot\_javascript\_fingerprint\_not\_received](#input\_bot\_javascript\_fingerprint\_not\_received) | Bot active detection action: JavaScript Fingerprint Not Received | `string` | `"alert"` | no | +| [bot\_job\_search\_engine](#input\_bot\_job\_search\_engine) | Action for Akamai bot category: Job Search Engine Bots | `string` | `"alert"` | no | +| [bot\_media\_or\_entertainment\_search](#input\_bot\_media\_or\_entertainment\_search) | Action for Akamai bot category: Media or Entertainment Search Bots | `string` | `"alert"` | no | +| [bot\_news\_aggregator](#input\_bot\_news\_aggregator) | Action for Akamai bot category: News Aggregator Bots | `string` | `"alert"` | no | +| [bot\_online\_advertising](#input\_bot\_online\_advertising) | Action for Akamai bot category: Online Advertising Bots | `string` | `"alert"` | no | +| [bot\_open\_source\_crawlersscraping\_platforms](#input\_bot\_open\_source\_crawlersscraping\_platforms) | Action for bot transparent detection: Open Source Crawlers/Scraping Platforms | `string` | `"alert"` | no | +| [bot\_rss\_feed\_reader](#input\_bot\_rss\_feed\_reader) | Action for Akamai bot category: RSS Feed Reader Bots | `string` | `"alert"` | no | +| [bot\_seo\_analytics\_or\_marketing](#input\_bot\_seo\_analytics\_or\_marketing) | Action for Akamai bot category: SEO, Analytics or Marketing Bots | `string` | `"alert"` | no | +| [bot\_session\_validation](#input\_bot\_session\_validation) | Bot active detection action: Session Validation | `string` | `"alert"` | no | +| [bot\_site\_monitoring\_and\_web\_development](#input\_bot\_site\_monitoring\_and\_web\_development) | Action for Akamai bot category: Site Monitoring and Web Development Bots | `string` | `"alert"` | no | +| [bot\_social\_media\_or\_blog](#input\_bot\_social\_media\_or\_blog) | Action for Akamai bot category: Social Media or Blog Bots | `string` | `"alert"` | no | +| [bot\_web\_archiver](#input\_bot\_web\_archiver) | Action for Akamai bot category: Web Archiver Bots | `string` | `"alert"` | no | +| [bot\_web\_scraper\_reputation](#input\_bot\_web\_scraper\_reputation) | Action for bot transparent detection: Web Scraper Reputation | `string` | `"alert"` | no | +| [bot\_web\_search\_engine](#input\_bot\_web\_search\_engine) | Action for Akamai bot category: Web Search Engine Bots | `string` | `"alert"` | no | +| [bot\_web\_services\_libraries](#input\_bot\_web\_services\_libraries) | Action for bot transparent detection: Web Services Libraries | `string` | `"alert"` | no | +| [botman\_type](#input\_botman\_type) | Bot manager entitlement type: bvm (Bot Visibility and Management) or bms (Bot Management Standard) | `string` | `"bvm"` | no | +| [bypass\_network\_lists](#input\_bypass\_network\_lists) | List of bypass network list objects for the match target |
list(object({
id = string
name = string
}))
| `[]` | no | +| [client\_lists\_exception\_ipblock](#input\_client\_lists\_exception\_ipblock) | List of IP network list IDs to exempt from blocking | `list(string)` | `[]` | no | +| [client\_lists\_geoblock](#input\_client\_lists\_geoblock) | List of geo network list IDs to block | `list(string)` | `[]` | no | +| [client\_lists\_ipblock](#input\_client\_lists\_ipblock) | List of IP network list IDs to block | `list(string)` | `[]` | no | +| [dos\_origin\_error\_action](#input\_dos\_origin\_error\_action) | DoS action for origin error rate policy | `string` | `"alert"` | no | +| [dos\_page\_view\_requests\_action](#input\_dos\_page\_view\_requests\_action) | DoS action for page view requests rate policy | `string` | `"alert"` | no | +| [dos\_post\_page\_requests\_action](#input\_dos\_post\_page\_requests\_action) | DoS action for POST page requests rate policy | `string` | `"alert"` | no | +| [enable\_active\_detections](#input\_enable\_active\_detections) | Enable active detection methods that interact with the requesting client (BMS only) | `bool` | `false` | no | +| [enable\_botman](#input\_enable\_botman) | Enable bot manager protection | `bool` | `false` | no | +| [enable\_browser\_validation](#input\_enable\_browser\_validation) | Confirm that requests come from a browser (BMS only) | `bool` | `false` | no | +| [enable\_client\_reputation](#input\_enable\_client\_reputation) | Enable client reputation protection | `bool` | `false` | no | +| [enable\_ip\_geo](#input\_enable\_ip\_geo) | Enable IP/Geo firewall protection | `bool` | `true` | no | +| [enable\_malware](#input\_enable\_malware) | Enable malware protection | `bool` | `false` | no | +| [enable\_rate](#input\_enable\_rate) | Enable rate control protection | `bool` | `true` | no | +| [enable\_request\_constraints](#input\_enable\_request\_constraints) | Enable API request constraints protection | `bool` | `false` | no | +| [enable\_slow\_post](#input\_enable\_slow\_post) | Enable slow POST protection | `bool` | `true` | no | +| [enable\_waf](#input\_enable\_waf) | Enable WAF protection | `bool` | `true` | no | +| [penalty\_box\_action](#input\_penalty\_box\_action) | Penalty box action (deny or alert) | `string` | `"alert"` | no | +| [remove\_botman\_cookies](#input\_remove\_botman\_cookies) | Remove Bot Manager cookies before sending request to origin | `bool` | `true` | no | +| [rep\_dos\_attackers\_high](#input\_rep\_dos\_attackers\_high) | Action for DoS attackers high threat reputation profile | `string` | `"alert"` | no | +| [rep\_dos\_attackers\_high\_shared](#input\_rep\_dos\_attackers\_high\_shared) | Action for DoS attackers high threat shared reputation profile | `string` | `"alert"` | no | +| [rep\_dos\_attackers\_low](#input\_rep\_dos\_attackers\_low) | Action for DoS attackers low threat reputation profile | `string` | `"none"` | no | +| [rep\_dos\_attackers\_low\_shared](#input\_rep\_dos\_attackers\_low\_shared) | Action for DoS attackers low threat shared reputation profile | `string` | `"none"` | no | +| [rep\_scanning\_tools\_high](#input\_rep\_scanning\_tools\_high) | Action for scanning tools high threat reputation profile | `string` | `"alert"` | no | +| [rep\_scanning\_tools\_high\_shared](#input\_rep\_scanning\_tools\_high\_shared) | Action for scanning tools high threat shared reputation profile | `string` | `"alert"` | no | +| [rep\_scanning\_tools\_low](#input\_rep\_scanning\_tools\_low) | Action for scanning tools low threat reputation profile | `string` | `"none"` | no | +| [rep\_scanning\_tools\_low\_shared](#input\_rep\_scanning\_tools\_low\_shared) | Action for scanning tools low threat shared reputation profile | `string` | `"none"` | no | +| [rep\_web\_attackers\_high](#input\_rep\_web\_attackers\_high) | Action for web attackers high threat reputation profile | `string` | `"alert"` | no | +| [rep\_web\_attackers\_high\_shared](#input\_rep\_web\_attackers\_high\_shared) | Action for web attackers high threat shared reputation profile | `string` | `"alert"` | no | +| [rep\_web\_attackers\_low](#input\_rep\_web\_attackers\_low) | Action for web attackers low threat reputation profile | `string` | `"none"` | no | +| [rep\_web\_attackers\_low\_shared](#input\_rep\_web\_attackers\_low\_shared) | Action for web attackers low threat shared reputation profile | `string` | `"none"` | no | +| [rep\_web\_scrapers\_high](#input\_rep\_web\_scrapers\_high) | Action for web scrapers high threat reputation profile | `string` | `"alert"` | no | +| [rep\_web\_scrapers\_high\_shared](#input\_rep\_web\_scrapers\_high\_shared) | Action for web scrapers high threat shared reputation profile | `string` | `"alert"` | no | +| [rep\_web\_scrapers\_low](#input\_rep\_web\_scrapers\_low) | Action for web scrapers low threat reputation profile | `string` | `"none"` | no | +| [rep\_web\_scrapers\_low\_shared](#input\_rep\_web\_scrapers\_low\_shared) | Action for web scrapers low threat shared reputation profile | `string` | `"none"` | no | +| [reputation\_profile\_ids](#input\_reputation\_profile\_ids) | Map of reputation profile IDs from the security-config module | `map(number)` | `{}` | no | +| [slow\_post\_action](#input\_slow\_post\_action) | Slow POST protection action | `string` | `"alert"` | no | +| [third\_party\_proxy](#input\_third\_party\_proxy) | Enable if using a third-party proxy service between Akamai Edge servers | `bool` | `false` | no | +| [waf\_cmd\_action](#input\_waf\_cmd\_action) | WAF action for CMD injection attack group | `string` | `"alert"` | no | +| [waf\_lfi\_action](#input\_waf\_lfi\_action) | WAF action for LFI (Local File Inclusion) attack group | `string` | `"alert"` | no | +| [waf\_platform\_action](#input\_waf\_platform\_action) | WAF action for PLATFORM attack group | `string` | `"alert"` | no | +| [waf\_policy\_action](#input\_waf\_policy\_action) | WAF action for POLICY attack group | `string` | `"alert"` | no | +| [waf\_protocol\_action](#input\_waf\_protocol\_action) | WAF action for PROTOCOL attack group | `string` | `"alert"` | no | +| [waf\_rfi\_action](#input\_waf\_rfi\_action) | WAF action for RFI (Remote File Inclusion) attack group | `string` | `"alert"` | no | +| [waf\_sql\_action](#input\_waf\_sql\_action) | WAF action for SQL injection attack group | `string` | `"alert"` | no | +| [waf\_wat\_action](#input\_waf\_wat\_action) | WAF action for WAT (Web Attack Tool) attack group | `string` | `"alert"` | no | +| [waf\_xss\_action](#input\_waf\_xss\_action) | WAF action for XSS attack group | `string` | `"alert"` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [security\_policy\_id](#output\_security\_policy\_id) | The ID of the created security policy | + \ No newline at end of file diff --git a/aap-asm/security-policy/botman.tf b/aap-asm/security-policy/botman.tf new file mode 100644 index 0000000..014d321 --- /dev/null +++ b/aap-asm/security-policy/botman.tf @@ -0,0 +1,548 @@ +# Bot Management Settings + +resource "akamai_botman_bot_management_settings" "bot_manager_bvm" { + count = var.enable_botman && var.botman_type == "bvm" ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_security_policy.this.security_policy_id + bot_management_settings = jsonencode( + { + "addAkamaiBotHeader" : var.add_akamai_bot_header, + "enableActiveDetections" : var.enable_active_detections, + "enableBotManagement" : true, + "enableBrowserValidation" : var.enable_browser_validation, + "removeBotManagementCookies" : var.remove_botman_cookies, + "thirdPartyProxyServiceInUse" : var.third_party_proxy + } + ) +} + +resource "akamai_botman_bot_management_settings" "bot_manager_bms" { + count = var.enable_botman && var.botman_type == "bms" ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_security_policy.this.security_policy_id + bot_management_settings = jsonencode( + { + "addAkamaiBotHeader" : var.add_akamai_bot_header, + "enableActiveDetections" : var.enable_active_detections, + "enableBotManagement" : true + "enableBrowserValidation" : var.enable_browser_validation, + "removeBotManagementCookies" : var.remove_botman_cookies, + "thirdPartyProxyServiceInUse" : var.third_party_proxy + } + ) +} + +# Bot Active Detection Actions (BMS only) + +resource "akamai_botman_bot_detection_action" "session_validation" { + count = var.enable_botman && var.botman_type == "bms" ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_security_policy.this.security_policy_id + detection_id = "1bb748e2-b3ad-41db-85fa-c69e62be59dc" + bot_detection_action = jsonencode( + { + "action" : var.bot_session_validation, + "sessionActivitySensitivity" : "MEDIUM" + } + ) + depends_on = [ + akamai_botman_bot_management_settings.bot_manager_bms, + ] +} + +resource "akamai_botman_bot_detection_action" "javascript_fingerprint_anomaly" { + count = var.enable_botman && var.botman_type == "bms" ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_security_policy.this.security_policy_id + detection_id = "393cba3d-656f-48f1-abe4-8dd5028c6871" + bot_detection_action = jsonencode( + { + "action" : var.bot_javascript_fingerprint_anomaly + } + ) + depends_on = [ + akamai_botman_bot_management_settings.bot_manager_bms, + ] +} + +resource "akamai_botman_bot_detection_action" "cookie_integrity_failed" { + count = var.enable_botman && var.botman_type == "bms" ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_security_policy.this.security_policy_id + detection_id = "4f1fd3ea-7072-4cd0-8d12-24f275e6c75d" + bot_detection_action = jsonencode( + { + "action" : var.bot_cookie_integrity_failed + } + ) + depends_on = [ + akamai_botman_bot_management_settings.bot_manager_bms, + ] +} + +resource "akamai_botman_bot_detection_action" "client_disabled_javascript_noscript_triggered" { + count = var.enable_botman && var.botman_type == "bms" ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_security_policy.this.security_policy_id + detection_id = "c5623efa-f326-41d1-9601-a2d201bedf63" + bot_detection_action = jsonencode( + { + "action" : var.bot_client_disabled_javascript_noscript_triggered + } + ) + depends_on = [ + akamai_botman_bot_management_settings.bot_manager_bms, + ] +} + +resource "akamai_botman_bot_detection_action" "javascript_fingerprint_not_received" { + count = var.enable_botman && var.botman_type == "bms" ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_security_policy.this.security_policy_id + detection_id = "c7f70f75-e3e2-4181-8ef8-30afb6576147" + bot_detection_action = jsonencode( + { + "action" : var.bot_javascript_fingerprint_not_received + } + ) + depends_on = [ + akamai_botman_bot_management_settings.bot_manager_bms, + ] +} + +# Bot Category Actions + +resource "akamai_botman_akamai_bot_category_action" "site_monitoring_and_web_development" { + count = var.enable_botman ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_security_policy.this.security_policy_id + category_id = "07782c03-8d21-4491-9078-b83514e6508f" + akamai_bot_category_action = jsonencode( + { + "action" : var.bot_site_monitoring_and_web_development + } + ) + depends_on = [ + akamai_botman_bot_management_settings.bot_manager_bvm, + akamai_botman_bot_management_settings.bot_manager_bms, + ] +} + +resource "akamai_botman_akamai_bot_category_action" "academic_or_research" { + count = var.enable_botman ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_security_policy.this.security_policy_id + category_id = "0c508e1d-73a4-4366-9e48-3c4a080f1c5d" + akamai_bot_category_action = jsonencode( + { + "action" : var.bot_academic_or_research + } + ) + depends_on = [ + akamai_botman_bot_management_settings.bot_manager_bvm, + akamai_botman_bot_management_settings.bot_manager_bms, + ] +} + +resource "akamai_botman_akamai_bot_category_action" "job_search_engine" { + count = var.enable_botman ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_security_policy.this.security_policy_id + category_id = "2f169206-f32c-48f7-b281-d534cf1ceeb3" + akamai_bot_category_action = jsonencode( + { + "action" : var.bot_job_search_engine + } + ) + depends_on = [ + akamai_botman_bot_management_settings.bot_manager_bvm, + akamai_botman_bot_management_settings.bot_manager_bms, + ] +} + +resource "akamai_botman_akamai_bot_category_action" "artificial_intelligence_ai" { + count = var.enable_botman ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_security_policy.this.security_policy_id + category_id = "352fca87-71ee-4b8d-ae15-d36772556072" + akamai_bot_category_action = jsonencode( + { + "action" : var.bot_artificial_intelligence_ai + } + ) + depends_on = [ + akamai_botman_bot_management_settings.bot_manager_bvm, + akamai_botman_bot_management_settings.bot_manager_bms, + ] +} + +resource "akamai_botman_akamai_bot_category_action" "online_advertising" { + count = var.enable_botman ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_security_policy.this.security_policy_id + category_id = "36b27e0c-76fc-44a4-b913-c598c5af8bba" + akamai_bot_category_action = jsonencode( + { + "action" : var.bot_online_advertising + } + ) + depends_on = [ + akamai_botman_bot_management_settings.bot_manager_bvm, + akamai_botman_bot_management_settings.bot_manager_bms, + ] +} + +resource "akamai_botman_akamai_bot_category_action" "ecommerce_search_engine" { + count = var.enable_botman ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_security_policy.this.security_policy_id + category_id = "47bcfb70-f3f5-458b-8f7c-1773b14bc6a4" + akamai_bot_category_action = jsonencode( + { + "action" : var.bot_ecommerce_search_engine + } + ) + depends_on = [ + akamai_botman_bot_management_settings.bot_manager_bvm, + akamai_botman_bot_management_settings.bot_manager_bms, + ] +} + +resource "akamai_botman_akamai_bot_category_action" "web_search_engine" { + count = var.enable_botman ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_security_policy.this.security_policy_id + category_id = "4e14219f-6568-4c9d-9bd8-b29ca2afc422" + akamai_bot_category_action = jsonencode( + { + "action" : var.bot_web_search_engine + } + ) + depends_on = [ + akamai_botman_bot_management_settings.bot_manager_bvm, + akamai_botman_bot_management_settings.bot_manager_bms, + ] +} + +resource "akamai_botman_akamai_bot_category_action" "enterprise_data_aggregator" { + count = var.enable_botman ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_security_policy.this.security_policy_id + category_id = "50395ad2-2673-41a4-b317-9b70742fd40f" + akamai_bot_category_action = jsonencode( + { + "action" : var.bot_enterprise_data_aggregator + } + ) + depends_on = [ + akamai_botman_bot_management_settings.bot_manager_bvm, + akamai_botman_bot_management_settings.bot_manager_bms, + ] +} + +resource "akamai_botman_akamai_bot_category_action" "financial_services" { + count = var.enable_botman ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_security_policy.this.security_policy_id + category_id = "53598904-21f5-46b1-8b51-1b991beef73b" + akamai_bot_category_action = jsonencode( + { + "action" : var.bot_financial_services + } + ) + depends_on = [ + akamai_botman_bot_management_settings.bot_manager_bvm, + akamai_botman_bot_management_settings.bot_manager_bms, + ] +} + +resource "akamai_botman_akamai_bot_category_action" "social_media_or_blog" { + count = var.enable_botman ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_security_policy.this.security_policy_id + category_id = "7035af8d-148c-429a-89da-de41e68c72d8" + akamai_bot_category_action = jsonencode( + { + "action" : var.bot_social_media_or_blog + } + ) + depends_on = [ + akamai_botman_bot_management_settings.bot_manager_bvm, + akamai_botman_bot_management_settings.bot_manager_bms, + ] +} + +resource "akamai_botman_akamai_bot_category_action" "web_archiver" { + count = var.enable_botman ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_security_policy.this.security_policy_id + category_id = "831ef84a-c2bb-4b0d-b90d-bcd16793b830" + akamai_bot_category_action = jsonencode( + { + "action" : var.bot_web_archiver + } + ) + depends_on = [ + akamai_botman_bot_management_settings.bot_manager_bvm, + akamai_botman_bot_management_settings.bot_manager_bms, + ] +} + +resource "akamai_botman_akamai_bot_category_action" "business_intelligence" { + count = var.enable_botman ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_security_policy.this.security_policy_id + category_id = "8a70d29c-a491-4583-9768-7deea2f379c1" + akamai_bot_category_action = jsonencode( + { + "action" : var.bot_business_intelligence + } + ) + depends_on = [ + akamai_botman_bot_management_settings.bot_manager_bvm, + akamai_botman_bot_management_settings.bot_manager_bms, + ] +} + +resource "akamai_botman_akamai_bot_category_action" "news_aggregator" { + count = var.enable_botman ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_security_policy.this.security_policy_id + category_id = "ade03247-6519-4591-8458-9b7347004b63" + akamai_bot_category_action = jsonencode( + { + "action" : var.bot_news_aggregator + } + ) + depends_on = [ + akamai_botman_bot_management_settings.bot_manager_bvm, + akamai_botman_bot_management_settings.bot_manager_bms, + ] +} + +resource "akamai_botman_akamai_bot_category_action" "rss_feed_reader" { + count = var.enable_botman ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_security_policy.this.security_policy_id + category_id = "b58c9929-9fd0-45f7-86f4-1d6259285c3c" + akamai_bot_category_action = jsonencode( + { + "action" : var.bot_rss_feed_reader + } + ) + depends_on = [ + akamai_botman_bot_management_settings.bot_manager_bvm, + akamai_botman_bot_management_settings.bot_manager_bms, + ] +} + +resource "akamai_botman_akamai_bot_category_action" "financial_account_aggregator" { + count = var.enable_botman ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_security_policy.this.security_policy_id + category_id = "c6692e03-d3a8-49b0-9566-5003eeaddbc1" + akamai_bot_category_action = jsonencode( + { + "action" : var.bot_financial_account_aggregator + } + ) + depends_on = [ + akamai_botman_bot_management_settings.bot_manager_bvm, + akamai_botman_bot_management_settings.bot_manager_bms, + ] +} + +resource "akamai_botman_akamai_bot_category_action" "media_or_entertainment_search" { + count = var.enable_botman ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_security_policy.this.security_policy_id + category_id = "dff258d5-b1ad-4bbb-b1d1-cf8e700e5bba" + akamai_bot_category_action = jsonencode( + { + "action" : var.bot_media_or_entertainment_search + } + ) + depends_on = [ + akamai_botman_bot_management_settings.bot_manager_bvm, + akamai_botman_bot_management_settings.bot_manager_bms, + ] +} + +resource "akamai_botman_akamai_bot_category_action" "seo_analytics_or_marketing" { + count = var.enable_botman ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_security_policy.this.security_policy_id + category_id = "f7558c03-9033-46ce-bbda-10eeda62a5d4" + akamai_bot_category_action = jsonencode( + { + "action" : var.bot_seo_analytics_or_marketing + } + ) + depends_on = [ + akamai_botman_bot_management_settings.bot_manager_bvm, + akamai_botman_bot_management_settings.bot_manager_bms, + ] +} + +# Bot Transparent Detection Actions + +resource "akamai_botman_bot_detection_action" "declared_bots_keyword_match" { + count = var.enable_botman ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_security_policy.this.security_policy_id + detection_id = "074df68e-fb28-432a-ac6d-7cfb958425f1" + bot_detection_action = jsonencode( + { + "action" : var.bot_declared_bots_keyword_match + } + ) + depends_on = [ + akamai_botman_bot_management_settings.bot_manager_bvm, + akamai_botman_bot_management_settings.bot_manager_bms, + ] +} + +resource "akamai_botman_bot_detection_action" "http_libraries" { + count = var.enable_botman ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_security_policy.this.security_policy_id + detection_id = "578dad32-024b-48b4-930c-db81831686f4" + bot_detection_action = jsonencode( + { + "action" : var.bot_http_libraries + } + ) + depends_on = [ + akamai_botman_bot_management_settings.bot_manager_bvm, + akamai_botman_bot_management_settings.bot_manager_bms, + ] +} + +resource "akamai_botman_bot_detection_action" "aggressive_web_crawlers" { + count = var.enable_botman ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_security_policy.this.security_policy_id + detection_id = "5bc041ad-c840-4202-9c2e-d7fc873dbeaf" + bot_detection_action = jsonencode( + { + "action" : var.bot_aggressive_web_crawlers + } + ) + depends_on = [ + akamai_botman_bot_management_settings.bot_manager_bvm, + akamai_botman_bot_management_settings.bot_manager_bms, + ] +} + +resource "akamai_botman_bot_detection_action" "open_source_crawlersscraping_platforms" { + count = var.enable_botman ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_security_policy.this.security_policy_id + detection_id = "601192ae-f5e2-4a29-8f75-a0bcd3584c2b" + bot_detection_action = jsonencode( + { + "action" : var.bot_open_source_crawlersscraping_platforms + } + ) + depends_on = [ + akamai_botman_bot_management_settings.bot_manager_bvm, + akamai_botman_bot_management_settings.bot_manager_bms, + ] +} + +resource "akamai_botman_bot_detection_action" "web_services_libraries" { + count = var.enable_botman ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_security_policy.this.security_policy_id + detection_id = "872ed6c2-514c-4055-9c44-9782b1c783bf" + bot_detection_action = jsonencode( + { + "action" : var.bot_web_services_libraries + } + ) + depends_on = [ + akamai_botman_bot_management_settings.bot_manager_bvm, + akamai_botman_bot_management_settings.bot_manager_bms, + ] +} + +resource "akamai_botman_bot_detection_action" "web_scraper_reputation" { + count = var.enable_botman ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_security_policy.this.security_policy_id + detection_id = "9712ab32-83bb-43ab-a46d-4c2a5a42e7e2" + bot_detection_action = jsonencode( + { + "action" : var.bot_web_scraper_reputation, + "webScraperReputationSensitivity" : 4 + } + ) + depends_on = [ + akamai_botman_bot_management_settings.bot_manager_bvm, + akamai_botman_bot_management_settings.bot_manager_bms, + ] +} + +resource "akamai_botman_bot_detection_action" "browser_impersonator" { + count = var.enable_botman ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_security_policy.this.security_policy_id + detection_id = "a3b92f75-fa5d-436e-b066-426fc2919968" + bot_detection_action = jsonencode( + { + "action" : var.bot_browser_impersonator + } + ) + depends_on = [ + akamai_botman_bot_management_settings.bot_manager_bvm, + akamai_botman_bot_management_settings.bot_manager_bms, + ] +} + +resource "akamai_botman_bot_detection_action" "headless_browsersautomation_tools" { + count = var.enable_botman ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_security_policy.this.security_policy_id + detection_id = "b88cba13-4d11-46fe-a7e0-b47e78892dc4" + bot_detection_action = jsonencode( + { + "action" : var.bot_headless_browsersautomation_tools + } + ) + depends_on = [ + akamai_botman_bot_management_settings.bot_manager_bvm, + akamai_botman_bot_management_settings.bot_manager_bms, + ] +} + +resource "akamai_botman_bot_detection_action" "development_frameworks" { + count = var.enable_botman ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_security_policy.this.security_policy_id + detection_id = "da005ad3-8bbb-43c8-a783-d97d1fb71ad2" + bot_detection_action = jsonencode( + { + "action" : var.bot_development_frameworks + } + ) + depends_on = [ + akamai_botman_bot_management_settings.bot_manager_bvm, + akamai_botman_bot_management_settings.bot_manager_bms, + ] +} + +resource "akamai_botman_bot_detection_action" "impersonators_of_known_bots" { + count = var.enable_botman ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_security_policy.this.security_policy_id + detection_id = "fda1ffb9-ef46-4570-929c-7449c0c750f8" + bot_detection_action = jsonencode( + { + "action" : var.bot_impersonators_of_known_bots + } + ) + depends_on = [ + akamai_botman_bot_management_settings.bot_manager_bvm, + akamai_botman_bot_management_settings.bot_manager_bms, + ] +} diff --git a/aap-asm/security/firewall.tf b/aap-asm/security-policy/firewall.tf similarity index 56% rename from aap-asm/security/firewall.tf rename to aap-asm/security-policy/firewall.tf index 9acc772..2cfd7f9 100644 --- a/aap-asm/security/firewall.tf +++ b/aap-asm/security-policy/firewall.tf @@ -1,7 +1,6 @@ -// IP/GEO/ASN Firewall -resource "akamai_appsec_ip_geo" "tfdemo" { - config_id = akamai_appsec_configuration.config.config_id - security_policy_id = akamai_appsec_ip_geo_protection.tfdemo.security_policy_id +resource "akamai_appsec_ip_geo" "this" { + config_id = var.config_id + security_policy_id = akamai_appsec_ip_geo_protection.this.security_policy_id mode = "block" ip_controls { ip_network_lists = var.client_lists_ipblock @@ -11,7 +10,10 @@ resource "akamai_appsec_ip_geo" "tfdemo" { geo_network_lists = var.client_lists_geoblock action = "deny" } + asn_controls { + asn_network_lists = var.client_lists_asnblock + action = "deny" + } exception_ip_network_lists = var.client_lists_exception_ipblock ukraine_geo_control_action = "none" } - diff --git a/aap-asm/security-policy/main.tf b/aap-asm/security-policy/main.tf new file mode 100644 index 0000000..c78ecd1 --- /dev/null +++ b/aap-asm/security-policy/main.tf @@ -0,0 +1,18 @@ +/** + * # Security Policy (Per-Policy) + * + * Creates a single security policy within an existing Akamai Application Security + * configuration, including all protection settings, WAF rules, DoS protections, + * client reputation actions, and bot manager actions. + * + * This module is designed to be called with `for_each` to create multiple + * policies per security configuration. + * + */ + +resource "akamai_appsec_security_policy" "this" { + config_id = var.config_id + default_settings = true + security_policy_name = var.policy_name + security_policy_prefix = var.policy_prefix +} diff --git a/aap-asm/security-policy/match-targets.tf b/aap-asm/security-policy/match-targets.tf new file mode 100644 index 0000000..84d2f26 --- /dev/null +++ b/aap-asm/security-policy/match-targets.tf @@ -0,0 +1,20 @@ +resource "akamai_appsec_match_target" "this" { + config_id = var.config_id + match_target = jsonencode( + { + "defaultFile" : "NO_MATCH", + "filePaths" : [ + "/*" + ], + "hostnames" : var.hostnames, + "isNegativeFileExtensionMatch" : false, + "isNegativePathMatch" : false, + "bypassNetworkLists" : var.bypass_network_lists, + "securityPolicy" : { + "policyId" : akamai_appsec_security_policy.this.security_policy_id + }, + "sequence" : var.match_target_sequence, + "type" : "website" + } + ) +} diff --git a/aap-asm/security-policy/outputs.tf b/aap-asm/security-policy/outputs.tf new file mode 100644 index 0000000..5fef905 --- /dev/null +++ b/aap-asm/security-policy/outputs.tf @@ -0,0 +1,4 @@ +output "security_policy_id" { + description = "The ID of the created security policy" + value = akamai_appsec_security_policy.this.security_policy_id +} diff --git a/aap-asm/security-policy/penalty-box.tf b/aap-asm/security-policy/penalty-box.tf new file mode 100644 index 0000000..aca69ed --- /dev/null +++ b/aap-asm/security-policy/penalty-box.tf @@ -0,0 +1,7 @@ +resource "akamai_appsec_penalty_box" "this" { + count = var.enable_waf ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_security_policy.this.security_policy_id + penalty_box_protection = true + penalty_box_action = var.penalty_box_action +} diff --git a/aap-asm/security-policy/protections.tf b/aap-asm/security-policy/protections.tf new file mode 100644 index 0000000..10bf403 --- /dev/null +++ b/aap-asm/security-policy/protections.tf @@ -0,0 +1,35 @@ +resource "akamai_appsec_waf_protection" "this" { + config_id = var.config_id + security_policy_id = akamai_appsec_security_policy.this.security_policy_id + enabled = var.enable_waf +} + +resource "akamai_appsec_api_constraints_protection" "this" { + config_id = var.config_id + security_policy_id = akamai_appsec_security_policy.this.security_policy_id + enabled = var.enable_request_constraints +} + +resource "akamai_appsec_ip_geo_protection" "this" { + config_id = var.config_id + security_policy_id = akamai_appsec_security_policy.this.security_policy_id + enabled = var.enable_ip_geo +} + +resource "akamai_appsec_malware_protection" "this" { + config_id = var.config_id + security_policy_id = akamai_appsec_security_policy.this.security_policy_id + enabled = var.enable_malware +} + +resource "akamai_appsec_rate_protection" "this" { + config_id = var.config_id + security_policy_id = akamai_appsec_security_policy.this.security_policy_id + enabled = var.enable_rate +} + +resource "akamai_appsec_slowpost_protection" "this" { + config_id = var.config_id + security_policy_id = akamai_appsec_security_policy.this.security_policy_id + enabled = var.enable_slow_post +} diff --git a/aap-asm/security-policy/rate-policy-actions.tf b/aap-asm/security-policy/rate-policy-actions.tf new file mode 100644 index 0000000..46a9de7 --- /dev/null +++ b/aap-asm/security-policy/rate-policy-actions.tf @@ -0,0 +1,26 @@ +resource "akamai_appsec_rate_policy_action" "origin_error" { + count = var.enable_rate ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_rate_protection.this.security_policy_id + rate_policy_id = var.rate_policy_origin_error_id + ipv4_action = var.dos_origin_error_action + ipv6_action = var.dos_origin_error_action +} + +resource "akamai_appsec_rate_policy_action" "post_page_requests" { + count = var.enable_rate ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_rate_protection.this.security_policy_id + rate_policy_id = var.rate_policy_post_page_requests_id + ipv4_action = var.dos_post_page_requests_action + ipv6_action = var.dos_post_page_requests_action +} + +resource "akamai_appsec_rate_policy_action" "page_view_requests" { + count = var.enable_rate ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_rate_protection.this.security_policy_id + rate_policy_id = var.rate_policy_page_view_requests_id + ipv4_action = var.dos_page_view_requests_action + ipv6_action = var.dos_page_view_requests_action +} diff --git a/aap-asm/security-policy/reputation.tf b/aap-asm/security-policy/reputation.tf new file mode 100644 index 0000000..db09357 --- /dev/null +++ b/aap-asm/security-policy/reputation.tf @@ -0,0 +1,138 @@ +resource "akamai_appsec_reputation_protection" "this" { + count = var.enable_client_reputation ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_security_policy.this.security_policy_id + enabled = true +} + +# Web Attackers +resource "akamai_appsec_reputation_profile_action" "web_attackers_high_threat" { + count = var.enable_client_reputation ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_reputation_protection.this[0].security_policy_id + reputation_profile_id = var.reputation_profile_ids["web_attackers_high_threat"] + action = var.rep_web_attackers_high +} + +resource "akamai_appsec_reputation_profile_action" "web_attackers_high_threat_shared" { + count = var.enable_client_reputation ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_reputation_protection.this[0].security_policy_id + reputation_profile_id = var.reputation_profile_ids["web_attackers_high_threat_shared"] + action = var.rep_web_attackers_high_shared +} + +resource "akamai_appsec_reputation_profile_action" "web_attackers_low_threat" { + count = var.enable_client_reputation ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_reputation_protection.this[0].security_policy_id + reputation_profile_id = var.reputation_profile_ids["web_attackers_low_threat"] + action = var.rep_web_attackers_low +} + +resource "akamai_appsec_reputation_profile_action" "web_attackers_low_threat_shared" { + count = var.enable_client_reputation ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_reputation_protection.this[0].security_policy_id + reputation_profile_id = var.reputation_profile_ids["web_attackers_low_threat_shared"] + action = var.rep_web_attackers_low_shared +} + +# DoS Attackers +resource "akamai_appsec_reputation_profile_action" "dos_attackers_high_threat" { + count = var.enable_client_reputation ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_reputation_protection.this[0].security_policy_id + reputation_profile_id = var.reputation_profile_ids["dos_attackers_high_threat"] + action = var.rep_dos_attackers_high +} + +resource "akamai_appsec_reputation_profile_action" "dos_attackers_high_threat_shared" { + count = var.enable_client_reputation ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_reputation_protection.this[0].security_policy_id + reputation_profile_id = var.reputation_profile_ids["dos_attackers_high_threat_shared"] + action = var.rep_dos_attackers_high_shared +} + +resource "akamai_appsec_reputation_profile_action" "dos_attackers_low_threat" { + count = var.enable_client_reputation ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_reputation_protection.this[0].security_policy_id + reputation_profile_id = var.reputation_profile_ids["dos_attackers_low_threat"] + action = var.rep_dos_attackers_low +} + +resource "akamai_appsec_reputation_profile_action" "dos_attackers_low_threat_shared" { + count = var.enable_client_reputation ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_reputation_protection.this[0].security_policy_id + reputation_profile_id = var.reputation_profile_ids["dos_attackers_low_threat_shared"] + action = var.rep_dos_attackers_low_shared +} + +# Scanning Tools +resource "akamai_appsec_reputation_profile_action" "scanning_tools_high_threat" { + count = var.enable_client_reputation ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_reputation_protection.this[0].security_policy_id + reputation_profile_id = var.reputation_profile_ids["scanning_tools_high_threat"] + action = var.rep_scanning_tools_high +} + +resource "akamai_appsec_reputation_profile_action" "scanning_tools_high_threat_shared" { + count = var.enable_client_reputation ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_reputation_protection.this[0].security_policy_id + reputation_profile_id = var.reputation_profile_ids["scanning_tools_high_threat_shared"] + action = var.rep_scanning_tools_high_shared +} + +resource "akamai_appsec_reputation_profile_action" "scanning_tools_low_threat" { + count = var.enable_client_reputation ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_reputation_protection.this[0].security_policy_id + reputation_profile_id = var.reputation_profile_ids["scanning_tools_low_threat"] + action = var.rep_scanning_tools_low +} + +resource "akamai_appsec_reputation_profile_action" "scanning_tools_low_threat_shared" { + count = var.enable_client_reputation ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_reputation_protection.this[0].security_policy_id + reputation_profile_id = var.reputation_profile_ids["scanning_tools_low_threat_shared"] + action = var.rep_scanning_tools_low_shared +} + +# Web Scrapers +resource "akamai_appsec_reputation_profile_action" "web_scrapers_high_threat" { + count = var.enable_client_reputation ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_reputation_protection.this[0].security_policy_id + reputation_profile_id = var.reputation_profile_ids["web_scrapers_high_threat"] + action = var.rep_web_scrapers_high +} + +resource "akamai_appsec_reputation_profile_action" "web_scrapers_high_threat_shared" { + count = var.enable_client_reputation ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_reputation_protection.this[0].security_policy_id + reputation_profile_id = var.reputation_profile_ids["web_scrapers_high_threat_shared"] + action = var.rep_web_scrapers_high_shared +} + +resource "akamai_appsec_reputation_profile_action" "web_scrapers_low_threat" { + count = var.enable_client_reputation ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_reputation_protection.this[0].security_policy_id + reputation_profile_id = var.reputation_profile_ids["web_scrapers_low_threat"] + action = var.rep_web_scrapers_low +} + +resource "akamai_appsec_reputation_profile_action" "web_scrapers_low_threat_shared" { + count = var.enable_client_reputation ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_reputation_protection.this[0].security_policy_id + reputation_profile_id = var.reputation_profile_ids["web_scrapers_low_threat_shared"] + action = var.rep_web_scrapers_low_shared +} diff --git a/aap-asm/security/slow-post.tf b/aap-asm/security-policy/slow-post.tf similarity index 51% rename from aap-asm/security/slow-post.tf rename to aap-asm/security-policy/slow-post.tf index 8b2c5bd..06ad706 100644 --- a/aap-asm/security/slow-post.tf +++ b/aap-asm/security-policy/slow-post.tf @@ -1,9 +1,8 @@ -// Slow Post Protection -resource "akamai_appsec_slow_post" "tfdemo" { - config_id = akamai_appsec_configuration.config.config_id - security_policy_id = akamai_appsec_slowpost_protection.tfdemo.security_policy_id +resource "akamai_appsec_slow_post" "this" { + count = var.enable_slow_post ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_slowpost_protection.this.security_policy_id slow_rate_action = var.slow_post_action slow_rate_threshold_rate = 10 slow_rate_threshold_period = 60 } - diff --git a/aap-asm/security-policy/variables.tf b/aap-asm/security-policy/variables.tf new file mode 100644 index 0000000..d13364a --- /dev/null +++ b/aap-asm/security-policy/variables.tf @@ -0,0 +1,572 @@ +# Policy Identity + +variable "config_id" { + description = "Akamai security configuration ID" + type = number +} + +variable "policy_name" { + description = "Name for the security policy" + type = string +} + +variable "policy_prefix" { + description = "Four-character alphanumeric prefix for the security policy" + type = string + validation { + condition = can(regex("^[A-Z0-9]{4}$", var.policy_prefix)) + error_message = "Policy prefix must be exactly 4 uppercase alphanumeric characters." + } +} + +# Match Target + +variable "hostnames" { + description = "List of hostnames this policy protects" + type = list(string) + validation { + condition = alltrue([for h in var.hostnames : h == lower(h)]) + error_message = "Hostnames must be lowercase." + } +} + +variable "match_target_sequence" { + description = "Sequence number for the match target (must be unique per policy)" + type = number +} + +variable "bypass_network_lists" { + description = "List of bypass network list objects for the match target" + type = list(object({ + id = string + name = string + })) + default = [] +} + +# Protection Toggles + +variable "enable_waf" { + description = "Enable WAF protection" + type = bool + default = true +} + +variable "enable_request_constraints" { + description = "Enable API request constraints protection" + type = bool + default = false +} + +variable "enable_ip_geo" { + description = "Enable IP/Geo firewall protection" + type = bool + default = true +} + +variable "enable_malware" { + description = "Enable malware protection" + type = bool + default = false +} + +variable "enable_rate" { + description = "Enable rate control protection" + type = bool + default = true +} + +variable "enable_slow_post" { + description = "Enable slow POST protection" + type = bool + default = true +} + +variable "enable_client_reputation" { + description = "Enable client reputation protection" + type = bool + default = false +} + +variable "enable_botman" { + description = "Enable bot manager protection" + type = bool + default = false +} + +# IP/Geo Firewall + +variable "client_lists_ipblock" { + description = "List of IP network list IDs to block" + type = list(string) + default = [] +} + +variable "client_lists_geoblock" { + description = "List of geo network list IDs to block" + type = list(string) + default = [] +} + +variable "client_lists_asnblock" { + description = "List of ASN network list IDs to block" + type = list(string) + default = [] +} + +variable "client_lists_exception_ipblock" { + description = "List of IP network list IDs to exempt from blocking" + type = list(string) + default = [] +} + +# WAF Actions + +variable "waf_policy_action" { + description = "WAF action for POLICY attack group" + type = string + default = "alert" +} + +variable "waf_wat_action" { + description = "WAF action for WAT (Web Attack Tool) attack group" + type = string + default = "alert" +} + +variable "waf_protocol_action" { + description = "WAF action for PROTOCOL attack group" + type = string + default = "alert" +} + +variable "waf_sql_action" { + description = "WAF action for SQL injection attack group" + type = string + default = "alert" +} + +variable "waf_xss_action" { + description = "WAF action for XSS attack group" + type = string + default = "alert" +} + +variable "waf_cmd_action" { + description = "WAF action for CMD injection attack group" + type = string + default = "alert" +} + +variable "waf_lfi_action" { + description = "WAF action for LFI (Local File Inclusion) attack group" + type = string + default = "alert" +} + +variable "waf_rfi_action" { + description = "WAF action for RFI (Remote File Inclusion) attack group" + type = string + default = "alert" +} + +variable "waf_platform_action" { + description = "WAF action for PLATFORM attack group" + type = string + default = "alert" +} + +# Penalty Box + +variable "penalty_box_action" { + description = "Penalty box action (deny or alert)" + type = string + default = "alert" +} + +# Rate Policy Actions + +variable "rate_policy_origin_error_id" { + description = "Rate policy ID for origin error" + type = number +} + +variable "rate_policy_post_page_requests_id" { + description = "Rate policy ID for POST page requests" + type = number +} + +variable "rate_policy_page_view_requests_id" { + description = "Rate policy ID for page view requests" + type = number +} + +variable "dos_origin_error_action" { + description = "DoS action for origin error rate policy" + type = string + default = "alert" +} + +variable "dos_post_page_requests_action" { + description = "DoS action for POST page requests rate policy" + type = string + default = "alert" +} + +variable "dos_page_view_requests_action" { + description = "DoS action for page view requests rate policy" + type = string + default = "alert" +} + +# Slow POST + +variable "slow_post_action" { + description = "Slow POST protection action" + type = string + default = "alert" +} + +# Client Reputation Actions + +variable "reputation_profile_ids" { + description = "Map of reputation profile IDs from the security-config module" + type = map(number) + default = {} +} + +variable "rep_web_attackers_high" { + description = "Action for web attackers high threat reputation profile" + type = string + default = "alert" +} + +variable "rep_web_attackers_high_shared" { + description = "Action for web attackers high threat shared reputation profile" + type = string + default = "alert" +} + +variable "rep_web_attackers_low" { + description = "Action for web attackers low threat reputation profile" + type = string + default = "none" +} + +variable "rep_web_attackers_low_shared" { + description = "Action for web attackers low threat shared reputation profile" + type = string + default = "none" +} + +variable "rep_dos_attackers_high" { + description = "Action for DoS attackers high threat reputation profile" + type = string + default = "alert" +} + +variable "rep_dos_attackers_high_shared" { + description = "Action for DoS attackers high threat shared reputation profile" + type = string + default = "alert" +} + +variable "rep_dos_attackers_low" { + description = "Action for DoS attackers low threat reputation profile" + type = string + default = "none" +} + +variable "rep_dos_attackers_low_shared" { + description = "Action for DoS attackers low threat shared reputation profile" + type = string + default = "none" +} + +variable "rep_scanning_tools_high" { + description = "Action for scanning tools high threat reputation profile" + type = string + default = "alert" +} + +variable "rep_scanning_tools_high_shared" { + description = "Action for scanning tools high threat shared reputation profile" + type = string + default = "alert" +} + +variable "rep_scanning_tools_low" { + description = "Action for scanning tools low threat reputation profile" + type = string + default = "none" +} + +variable "rep_scanning_tools_low_shared" { + description = "Action for scanning tools low threat shared reputation profile" + type = string + default = "none" +} + +variable "rep_web_scrapers_high" { + description = "Action for web scrapers high threat reputation profile" + type = string + default = "alert" +} + +variable "rep_web_scrapers_high_shared" { + description = "Action for web scrapers high threat shared reputation profile" + type = string + default = "alert" +} + +variable "rep_web_scrapers_low" { + description = "Action for web scrapers low threat reputation profile" + type = string + default = "none" +} + +variable "rep_web_scrapers_low_shared" { + description = "Action for web scrapers low threat shared reputation profile" + type = string + default = "none" +} + +# Bot Manager Settings + +variable "botman_type" { + description = "Bot manager entitlement type: bvm (Bot Visibility and Management) or bms (Bot Management Standard)" + type = string + default = "bvm" + validation { + condition = can(index(["bvm", "bms"], var.botman_type)) + error_message = "Invalid value for botman_type. Allowed values are bvm or bms." + } +} + +variable "add_akamai_bot_header" { + description = "Adds a header named Akamai-Bot to bot requests forwarded to the origin (BMS only)" + type = bool + default = false +} + +variable "enable_active_detections" { + description = "Enable active detection methods that interact with the requesting client (BMS only)" + type = bool + default = false +} + +variable "enable_browser_validation" { + description = "Confirm that requests come from a browser (BMS only)" + type = bool + default = false +} + +variable "remove_botman_cookies" { + description = "Remove Bot Manager cookies before sending request to origin" + type = bool + default = true +} + +variable "third_party_proxy" { + description = "Enable if using a third-party proxy service between Akamai Edge servers" + type = bool + default = false +} + +# Bot Active Detection Actions (BMS only) + +variable "bot_session_validation" { + description = "Bot active detection action: Session Validation" + type = string + default = "alert" +} + +variable "bot_javascript_fingerprint_anomaly" { + description = "Bot active detection action: JavaScript Fingerprint Anomaly" + type = string + default = "alert" +} + +variable "bot_cookie_integrity_failed" { + description = "Bot active detection action: Cookie Integrity Failed" + type = string + default = "alert" +} + +variable "bot_client_disabled_javascript_noscript_triggered" { + description = "Bot active detection action: Client Disabled JavaScript (Noscript Triggered)" + type = string + default = "alert" +} + +variable "bot_javascript_fingerprint_not_received" { + description = "Bot active detection action: JavaScript Fingerprint Not Received" + type = string + default = "alert" +} + +# Bot Category Actions + +variable "bot_site_monitoring_and_web_development" { + description = "Action for Akamai bot category: Site Monitoring and Web Development Bots" + type = string + default = "alert" +} + +variable "bot_academic_or_research" { + description = "Action for Akamai bot category: Academic or Research Bots" + type = string + default = "alert" +} + +variable "bot_job_search_engine" { + description = "Action for Akamai bot category: Job Search Engine Bots" + type = string + default = "alert" +} + +variable "bot_artificial_intelligence_ai" { + description = "Action for Akamai bot category: Artificial Intelligence (AI) Bots" + type = string + default = "alert" +} + +variable "bot_online_advertising" { + description = "Action for Akamai bot category: Online Advertising Bots" + type = string + default = "alert" +} + +variable "bot_ecommerce_search_engine" { + description = "Action for Akamai bot category: E-Commerce Search Engine Bots" + type = string + default = "alert" +} + +variable "bot_web_search_engine" { + description = "Action for Akamai bot category: Web Search Engine Bots" + type = string + default = "alert" +} + +variable "bot_enterprise_data_aggregator" { + description = "Action for Akamai bot category: Enterprise Data Aggregator Bots" + type = string + default = "alert" +} + +variable "bot_financial_services" { + description = "Action for Akamai bot category: Financial Services Bots" + type = string + default = "alert" +} + +variable "bot_social_media_or_blog" { + description = "Action for Akamai bot category: Social Media or Blog Bots" + type = string + default = "alert" +} + +variable "bot_web_archiver" { + description = "Action for Akamai bot category: Web Archiver Bots" + type = string + default = "alert" +} + +variable "bot_business_intelligence" { + description = "Action for Akamai bot category: Business Intelligence Bots" + type = string + default = "alert" +} + +variable "bot_news_aggregator" { + description = "Action for Akamai bot category: News Aggregator Bots" + type = string + default = "alert" +} + +variable "bot_rss_feed_reader" { + description = "Action for Akamai bot category: RSS Feed Reader Bots" + type = string + default = "alert" +} + +variable "bot_financial_account_aggregator" { + description = "Action for Akamai bot category: Financial Account Aggregator Bots" + type = string + default = "alert" +} + +variable "bot_media_or_entertainment_search" { + description = "Action for Akamai bot category: Media or Entertainment Search Bots" + type = string + default = "alert" +} + +variable "bot_seo_analytics_or_marketing" { + description = "Action for Akamai bot category: SEO, Analytics or Marketing Bots" + type = string + default = "alert" +} + +# Bot Transparent Detection Actions + +variable "bot_declared_bots_keyword_match" { + description = "Action for bot transparent detection: Declared Bots (Keyword Match)" + type = string + default = "alert" +} + +variable "bot_http_libraries" { + description = "Action for bot transparent detection: HTTP Libraries" + type = string + default = "alert" +} + +variable "bot_aggressive_web_crawlers" { + description = "Action for bot transparent detection: Aggressive Web Crawlers" + type = string + default = "alert" +} + +variable "bot_open_source_crawlersscraping_platforms" { + description = "Action for bot transparent detection: Open Source Crawlers/Scraping Platforms" + type = string + default = "alert" +} + +variable "bot_web_services_libraries" { + description = "Action for bot transparent detection: Web Services Libraries" + type = string + default = "alert" +} + +variable "bot_web_scraper_reputation" { + description = "Action for bot transparent detection: Web Scraper Reputation" + type = string + default = "alert" +} + +variable "bot_browser_impersonator" { + description = "Action for bot transparent detection: Browser Impersonator" + type = string + default = "alert" +} + +variable "bot_headless_browsersautomation_tools" { + description = "Action for bot transparent detection: Headless Browsers/Automation Tools" + type = string + default = "alert" +} + +variable "bot_development_frameworks" { + description = "Action for bot transparent detection: Development Frameworks" + type = string + default = "alert" +} + +variable "bot_impersonators_of_known_bots" { + description = "Action for bot transparent detection: Impersonators of Known Bots" + type = string + default = "alert" +} diff --git a/aap-asm/client-reputation/versions.tf b/aap-asm/security-policy/versions.tf similarity index 88% rename from aap-asm/client-reputation/versions.tf rename to aap-asm/security-policy/versions.tf index b37cd69..dd6fbad 100644 --- a/aap-asm/client-reputation/versions.tf +++ b/aap-asm/security-policy/versions.tf @@ -1,14 +1,13 @@ terraform { + required_version = ">= 1.9.0" required_providers { akamai = { source = "akamai/akamai" - version = "~> 9.0" + version = "~> 10.1" } time = { source = "hashicorp/time" version = "~> 0.13" } } - required_version = ">= 1.9.0" - } diff --git a/aap-asm/security-policy/waf.tf b/aap-asm/security-policy/waf.tf new file mode 100644 index 0000000..8807a37 --- /dev/null +++ b/aap-asm/security-policy/waf.tf @@ -0,0 +1,78 @@ +resource "akamai_appsec_waf_mode" "this" { + count = var.enable_waf ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_waf_protection.this.security_policy_id + mode = "ASE_AUTO" +} + +resource "akamai_appsec_attack_group" "POLICY" { + count = var.enable_waf ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_waf_protection.this.security_policy_id + attack_group = "POLICY" + attack_group_action = var.waf_policy_action +} + +resource "akamai_appsec_attack_group" "WAT" { + count = var.enable_waf ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_waf_protection.this.security_policy_id + attack_group = "WAT" + attack_group_action = var.waf_wat_action +} + +resource "akamai_appsec_attack_group" "PROTOCOL" { + count = var.enable_waf ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_waf_protection.this.security_policy_id + attack_group = "PROTOCOL" + attack_group_action = var.waf_protocol_action +} + +resource "akamai_appsec_attack_group" "SQL" { + count = var.enable_waf ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_waf_protection.this.security_policy_id + attack_group = "SQL" + attack_group_action = var.waf_sql_action +} + +resource "akamai_appsec_attack_group" "XSS" { + count = var.enable_waf ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_waf_protection.this.security_policy_id + attack_group = "XSS" + attack_group_action = var.waf_xss_action +} + +resource "akamai_appsec_attack_group" "CMD" { + count = var.enable_waf ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_waf_protection.this.security_policy_id + attack_group = "CMD" + attack_group_action = var.waf_cmd_action +} + +resource "akamai_appsec_attack_group" "LFI" { + count = var.enable_waf ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_waf_protection.this.security_policy_id + attack_group = "LFI" + attack_group_action = var.waf_lfi_action +} + +resource "akamai_appsec_attack_group" "RFI" { + count = var.enable_waf ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_waf_protection.this.security_policy_id + attack_group = "RFI" + attack_group_action = var.waf_rfi_action +} + +resource "akamai_appsec_attack_group" "PLATFORM" { + count = var.enable_waf ? 1 : 0 + config_id = var.config_id + security_policy_id = akamai_appsec_waf_protection.this.security_policy_id + attack_group = "PLATFORM" + attack_group_action = var.waf_platform_action +} diff --git a/aap-asm/security/README.md b/aap-asm/security/README.md deleted file mode 100644 index 1fdfbde..0000000 --- a/aap-asm/security/README.md +++ /dev/null @@ -1,165 +0,0 @@ - - -# Onboarding: Application Security Configuration - -The use case for this module is to quickly create a new Application Security configuration -serving a set of hostnames following Akamai Professional Services Best Practices. - -Read on to find out which resources are provisioned as part of this -process, and how to customize! - -# Usage -Basic usage of this module is as follows: - -```hcl -module "example" { - source = "" - - # Required variables - config_name = - contract_id = - description = - dos_origin_error_action = - dos_page_view_requests_action = - dos_post_page_requests_action = - enable_ip_geo = - enable_malware = - enable_rate = - enable_request_constraints = - enable_slow_post = - enable_waf = - group_name = - hostnames = - policy_name = - policy_prefix = - slow_post_action = - version_notes = - - # Optional variables - client_lists_exception_ipblock = | default: [] - client_lists_geoblock = | default: [] - client_lists_ipblock = | default: [] - client_lists_pragmabypass = | default: [] - client_lists_rcbypass = | default: [] - client_lists_securitybypass = | default: [] - inspection_size = | default: 32 - penalty_box_action = | default: "alert" - waf_cmd_action = | default: "alert" - waf_lfi_action = | default: "alert" - waf_platform_action = | default: "alert" - waf_policy_action = | default: "alert" - waf_protocol_action = | default: "alert" - waf_rfi_action = | default: "alert" - waf_sql_action = | default: "alert" - waf_wat_action = | default: "alert" - waf_xss_action = | default: "alert" -} - ``` - -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.9.0 | -| [akamai](#requirement\_akamai) | ~> 9.0 | -| [random](#requirement\_random) | ~> 3.7 | -| [time](#requirement\_time) | ~> 0.13 | - -## Resources - -| Name | Type | -|------|------| -| [akamai_appsec_advanced_settings_attack_payload_logging.attack_payload_logging](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_advanced_settings_attack_payload_logging) | resource | -| [akamai_appsec_advanced_settings_evasive_path_match.evasive_path_match](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_advanced_settings_evasive_path_match) | resource | -| [akamai_appsec_advanced_settings_logging.logging](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_advanced_settings_logging) | resource | -| [akamai_appsec_advanced_settings_pii_learning.pii_learning](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_advanced_settings_pii_learning) | resource | -| [akamai_appsec_advanced_settings_pragma_header.pragma_header](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_advanced_settings_pragma_header) | resource | -| [akamai_appsec_advanced_settings_prefetch.prefetch](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_advanced_settings_prefetch) | resource | -| [akamai_appsec_advanced_settings_request_body.config_settings](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_advanced_settings_request_body) | resource | -| [akamai_appsec_api_constraints_protection.tfdemo](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_api_constraints_protection) | resource | -| [akamai_appsec_attack_group.tfdemo_CMD](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_attack_group) | resource | -| [akamai_appsec_attack_group.tfdemo_LFI](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_attack_group) | resource | -| [akamai_appsec_attack_group.tfdemo_PLATFORM](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_attack_group) | resource | -| [akamai_appsec_attack_group.tfdemo_POLICY](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_attack_group) | resource | -| [akamai_appsec_attack_group.tfdemo_PROTOCOL](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_attack_group) | resource | -| [akamai_appsec_attack_group.tfdemo_RFI](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_attack_group) | resource | -| [akamai_appsec_attack_group.tfdemo_SQL](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_attack_group) | resource | -| [akamai_appsec_attack_group.tfdemo_WAT](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_attack_group) | resource | -| [akamai_appsec_attack_group.tfdemo_XSS](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_attack_group) | resource | -| [akamai_appsec_configuration.config](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_configuration) | resource | -| [akamai_appsec_ip_geo.tfdemo](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_ip_geo) | resource | -| [akamai_appsec_ip_geo_protection.tfdemo](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_ip_geo_protection) | resource | -| [akamai_appsec_malware_protection.tfdemo](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_malware_protection) | resource | -| [akamai_appsec_match_target.website_8232297](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_match_target) | resource | -| [akamai_appsec_penalty_box.tfdemo](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_penalty_box) | resource | -| [akamai_appsec_rate_policy.origin_error](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_rate_policy) | resource | -| [akamai_appsec_rate_policy.page_view_requests](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_rate_policy) | resource | -| [akamai_appsec_rate_policy.post_page_requests](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_rate_policy) | resource | -| [akamai_appsec_rate_policy_action.tfdemo_origin_error](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_rate_policy_action) | resource | -| [akamai_appsec_rate_policy_action.tfdemo_page_view_requests](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_rate_policy_action) | resource | -| [akamai_appsec_rate_policy_action.tfdemo_post_page_requests](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_rate_policy_action) | resource | -| [akamai_appsec_rate_protection.tfdemo](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_rate_protection) | resource | -| [akamai_appsec_security_policy.tfdemo](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_security_policy) | resource | -| [akamai_appsec_slow_post.tfdemo](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_slow_post) | resource | -| [akamai_appsec_slowpost_protection.tfdemo](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_slowpost_protection) | resource | -| [akamai_appsec_version_notes.version_notes](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_version_notes) | resource | -| [akamai_appsec_waf_mode.tfdemo](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_waf_mode) | resource | -| [akamai_appsec_waf_protection.tfdemo](https://registry.terraform.io/providers/akamai/akamai/latest/docs/resources/appsec_waf_protection) | resource | -| [random_string.secret_header](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | -| [time_sleep.wait1](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | -| [time_sleep.wait2](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | -| [akamai_clientlist_lists.all](https://registry.terraform.io/providers/akamai/akamai/latest/docs/data-sources/clientlist_lists) | data source | -| [akamai_group.group](https://registry.terraform.io/providers/akamai/akamai/latest/docs/data-sources/group) | data source | - -## Modules - -No modules. - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [config\_name](#input\_config\_name) | Security configuration name | `string` | n/a | yes | -| [contract\_id](#input\_contract\_id) | Akamai Contract ID | `string` | n/a | yes | -| [description](#input\_description) | Security configuration description | `string` | n/a | yes | -| [dos\_origin\_error\_action](#input\_dos\_origin\_error\_action) | Action for the Origin Error | `string` | n/a | yes | -| [dos\_page\_view\_requests\_action](#input\_dos\_page\_view\_requests\_action) | Action for the Page View Requests | `string` | n/a | yes | -| [dos\_post\_page\_requests\_action](#input\_dos\_post\_page\_requests\_action) | Action for the POST Page Requests | `string` | n/a | yes | -| [enable\_ip\_geo](#input\_enable\_ip\_geo) | Enable IP/Geo Firewall Protection | `bool` | n/a | yes | -| [enable\_malware](#input\_enable\_malware) | Enable Malware Protection | `bool` | n/a | yes | -| [enable\_rate](#input\_enable\_rate) | Enable Rate Protection | `bool` | n/a | yes | -| [enable\_request\_constraints](#input\_enable\_request\_constraints) | Enable API Requests Constraints Protection | `bool` | n/a | yes | -| [enable\_slow\_post](#input\_enable\_slow\_post) | Enable Slow POST Protection | `bool` | n/a | yes | -| [enable\_waf](#input\_enable\_waf) | Enable Web Application Firewall Protection | `bool` | n/a | yes | -| [group\_name](#input\_group\_name) | Akamai Group Name | `string` | n/a | yes | -| [hostnames](#input\_hostnames) | Hostnames to protect by the security config | `list(string)` | n/a | yes | -| [policy\_name](#input\_policy\_name) | Name for the security policy | `string` | n/a | yes | -| [policy\_prefix](#input\_policy\_prefix) | Prefix for the security policy | `string` | n/a | yes | -| [slow\_post\_action](#input\_slow\_post\_action) | Action for the slow POST Protection | `string` | n/a | yes | -| [version\_notes](#input\_version\_notes) | Notes for the configuration version | `string` | n/a | yes | -| [client\_lists\_exception\_ipblock](#input\_client\_lists\_exception\_ipblock) | ID(s) for the IP Block Exceptions Client List | `list(string)` | `[]` | no | -| [client\_lists\_geoblock](#input\_client\_lists\_geoblock) | ID(s) for the Geo Block Client List | `list(string)` | `[]` | no | -| [client\_lists\_ipblock](#input\_client\_lists\_ipblock) | ID(s) for the IP Block Client List | `list(string)` | `[]` | no | -| [client\_lists\_pragmabypass](#input\_client\_lists\_pragmabypass) | ID(s) for the Pragma Bypass Client List | `list(string)` | `[]` | no | -| [client\_lists\_rcbypass](#input\_client\_lists\_rcbypass) | ID(s) for the Rate Control Bypass Client List | `list(string)` | `[]` | no | -| [client\_lists\_securitybypass](#input\_client\_lists\_securitybypass) | ID(s) for the Security Bypass Client List | `list(string)` | `[]` | no | -| [inspection\_size](#input\_inspection\_size) | Request body inspection limit | `number` | `32` | no | -| [penalty\_box\_action](#input\_penalty\_box\_action) | Action for WAF Penalty Box | `string` | `"alert"` | no | -| [waf\_cmd\_action](#input\_waf\_cmd\_action) | Action for WAF attack group: Command Injection | `string` | `"alert"` | no | -| [waf\_lfi\_action](#input\_waf\_lfi\_action) | Action for WAF attack group: Local File Inclusion | `string` | `"alert"` | no | -| [waf\_platform\_action](#input\_waf\_platform\_action) | Action for WAF attack group: Web Platform Attack | `string` | `"alert"` | no | -| [waf\_policy\_action](#input\_waf\_policy\_action) | Action for WAF attack group: Web Policy Violation | `string` | `"alert"` | no | -| [waf\_protocol\_action](#input\_waf\_protocol\_action) | Action for WAF attack group: Web Protocol Attack | `string` | `"alert"` | no | -| [waf\_rfi\_action](#input\_waf\_rfi\_action) | Action for WAF attack group: Remote File Inclusion | `string` | `"alert"` | no | -| [waf\_sql\_action](#input\_waf\_sql\_action) | Action for WAF attack group: SQL Injection | `string` | `"alert"` | no | -| [waf\_wat\_action](#input\_waf\_wat\_action) | Action for WAF attack group: Web Attack Tool | `string` | `"alert"` | no | -| [waf\_xss\_action](#input\_waf\_xss\_action) | Action for WAF attack group: Cross Site Scripting | `string` | `"alert"` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| [client\_lists\_id\_to\_name\_map](#output\_client\_lists\_id\_to\_name\_map) | Mapping of client list IDs to their names | -| [config\_id](#output\_config\_id) | Security Configuration ID | -| [security\_policy\_id](#output\_security\_policy\_id) | Security Policy ID | - \ No newline at end of file diff --git a/aap-asm/security/match-targets.tf b/aap-asm/security/match-targets.tf deleted file mode 100644 index 4dde65f..0000000 --- a/aap-asm/security/match-targets.tf +++ /dev/null @@ -1,41 +0,0 @@ - -# Query all client lists -data "akamai_clientlist_lists" "all" { -} - -# Build the client list objects with id and name -locals { - # Create a map of list_id to list details from the data source - all_lists = { - for list in data.akamai_clientlist_lists.all.lists : list.list_id => list - } - - # Build the bypass network lists with id and name - bypass_network_lists = [ - for id in var.client_lists_securitybypass : { - "id" = id - "name" = lookup(local.all_lists, id, { name = "Unknown" }).name - } - ] -} - -resource "akamai_appsec_match_target" "website_8232297" { - config_id = akamai_appsec_configuration.config.config_id - match_target = jsonencode( - { - "defaultFile" : "NO_MATCH", - "filePaths" : [ - "/*" - ], - "hostnames" : var.hostnames, - "isNegativeFileExtensionMatch" : false, - "isNegativePathMatch" : false, - "bypassNetworkLists" : local.bypass_network_lists, - "securityPolicy" : { - "policyId" : akamai_appsec_security_policy.tfdemo.security_policy_id - }, - "sequence" : 0, - "type" : "website" - } - ) -} \ No newline at end of file diff --git a/aap-asm/security/outputs.tf b/aap-asm/security/outputs.tf deleted file mode 100644 index 6387b5e..0000000 --- a/aap-asm/security/outputs.tf +++ /dev/null @@ -1,14 +0,0 @@ -output "config_id" { - value = akamai_appsec_configuration.config.config_id - description = "Security Configuration ID" -} - -output "security_policy_id" { - value = akamai_appsec_security_policy.tfdemo.security_policy_id - description = "Security Policy ID" -} - -output "client_lists_id_to_name_map" { - description = "Mapping of client list IDs to their names" - value = local.bypass_network_lists -} diff --git a/aap-asm/security/penalty-box.tf b/aap-asm/security/penalty-box.tf deleted file mode 100644 index 5e7c9b7..0000000 --- a/aap-asm/security/penalty-box.tf +++ /dev/null @@ -1,7 +0,0 @@ -// Penalty Box -resource "akamai_appsec_penalty_box" "tfdemo" { - config_id = akamai_appsec_configuration.config.config_id - security_policy_id = akamai_appsec_security_policy.tfdemo.security_policy_id - penalty_box_protection = true - penalty_box_action = var.penalty_box_action -} diff --git a/aap-asm/security/policies.tf b/aap-asm/security/policies.tf deleted file mode 100644 index 57e1c52..0000000 --- a/aap-asm/security/policies.tf +++ /dev/null @@ -1,6 +0,0 @@ -resource "akamai_appsec_security_policy" "tfdemo" { - config_id = akamai_appsec_configuration.config.config_id - default_settings = true - security_policy_name = var.policy_name - security_policy_prefix = var.policy_prefix -} diff --git a/aap-asm/security/protections.tf b/aap-asm/security/protections.tf deleted file mode 100644 index b425e54..0000000 --- a/aap-asm/security/protections.tf +++ /dev/null @@ -1,36 +0,0 @@ -// Enable/Disable Protections for policy tfdemo -resource "akamai_appsec_waf_protection" "tfdemo" { - config_id = akamai_appsec_configuration.config.config_id - security_policy_id = akamai_appsec_security_policy.tfdemo.security_policy_id - enabled = var.enable_waf -} - -resource "akamai_appsec_api_constraints_protection" "tfdemo" { - config_id = akamai_appsec_configuration.config.config_id - security_policy_id = akamai_appsec_security_policy.tfdemo.security_policy_id - enabled = var.enable_request_constraints -} - -resource "akamai_appsec_ip_geo_protection" "tfdemo" { - config_id = akamai_appsec_configuration.config.config_id - security_policy_id = akamai_appsec_security_policy.tfdemo.security_policy_id - enabled = var.enable_ip_geo -} - -resource "akamai_appsec_malware_protection" "tfdemo" { - config_id = akamai_appsec_configuration.config.config_id - security_policy_id = akamai_appsec_security_policy.tfdemo.security_policy_id - enabled = var.enable_malware -} - -resource "akamai_appsec_rate_protection" "tfdemo" { - config_id = akamai_appsec_configuration.config.config_id - security_policy_id = akamai_appsec_security_policy.tfdemo.security_policy_id - enabled = var.enable_rate -} - -resource "akamai_appsec_slowpost_protection" "tfdemo" { - config_id = akamai_appsec_configuration.config.config_id - security_policy_id = akamai_appsec_security_policy.tfdemo.security_policy_id - enabled = var.enable_slow_post -} diff --git a/aap-asm/security/rate-policy-actions.tf b/aap-asm/security/rate-policy-actions.tf deleted file mode 100644 index 2f83f11..0000000 --- a/aap-asm/security/rate-policy-actions.tf +++ /dev/null @@ -1,25 +0,0 @@ -// Rate Policy Actions -resource "akamai_appsec_rate_policy_action" "tfdemo_origin_error" { - config_id = akamai_appsec_configuration.config.config_id - security_policy_id = akamai_appsec_rate_protection.tfdemo.security_policy_id - rate_policy_id = akamai_appsec_rate_policy.origin_error.rate_policy_id - ipv4_action = var.dos_origin_error_action - ipv6_action = var.dos_origin_error_action -} - -resource "akamai_appsec_rate_policy_action" "tfdemo_post_page_requests" { - config_id = akamai_appsec_configuration.config.config_id - security_policy_id = akamai_appsec_rate_protection.tfdemo.security_policy_id - rate_policy_id = akamai_appsec_rate_policy.post_page_requests.rate_policy_id - ipv4_action = var.dos_post_page_requests_action - ipv6_action = var.dos_post_page_requests_action -} - -resource "akamai_appsec_rate_policy_action" "tfdemo_page_view_requests" { - config_id = akamai_appsec_configuration.config.config_id - security_policy_id = akamai_appsec_rate_protection.tfdemo.security_policy_id - rate_policy_id = akamai_appsec_rate_policy.page_view_requests.rate_policy_id - ipv4_action = var.dos_page_view_requests_action - ipv6_action = var.dos_page_view_requests_action -} - diff --git a/aap-asm/security/variables.tf b/aap-asm/security/variables.tf deleted file mode 100644 index 55bfb47..0000000 --- a/aap-asm/security/variables.tf +++ /dev/null @@ -1,219 +0,0 @@ -# ------------------------------------------------- -# Common Variables -# ------------------------------------------------- -variable "contract_id" { - description = "Akamai Contract ID" - type = string -} - -variable "group_name" { - description = "Akamai Group Name" - type = string -} - -variable "config_name" { - description = "Security configuration name" - type = string -} - -variable "description" { - description = "Security configuration description" - type = string -} - -variable "hostnames" { - description = "Hostnames to protect by the security config" - type = list(string) - - validation { - condition = alltrue([ - for h in var.hostnames : h == lower(h) - ]) - error_message = "All hostnames must be lowercase." - } -} - - -variable "version_notes" { - description = "Notes for the configuration version" - type = string -} - -# ------------------------------------------------- -# Advanced settings -# ------------------------------------------------- -variable "inspection_size" { - description = "Request body inspection limit" - type = number - default = 32 -} - -# ------------------------------------------------- -# Protections -# ------------------------------------------------- -variable "enable_waf" { - description = "Enable Web Application Firewall Protection" - type = bool -} - -variable "enable_request_constraints" { - description = "Enable API Requests Constraints Protection" - type = bool -} - -variable "enable_ip_geo" { - description = "Enable IP/Geo Firewall Protection" - type = bool -} - -variable "enable_malware" { - description = "Enable Malware Protection" - type = bool -} - -variable "enable_rate" { - description = "Enable Rate Protection" - type = bool -} - -variable "enable_slow_post" { - description = "Enable Slow POST Protection" - type = bool -} - -# ------------------------------------------------- -# Client Lists -# ------------------------------------------------- -# IP/Geo Firewall -variable "client_lists_ipblock" { - description = "ID(s) for the IP Block Client List" - type = list(string) - default = [] -} - -variable "client_lists_exception_ipblock" { - description = "ID(s) for the IP Block Exceptions Client List" - type = list(string) - default = [] -} - -variable "client_lists_geoblock" { - description = "ID(s) for the Geo Block Client List" - type = list(string) - default = [] -} - -# Bypass Lists -variable "client_lists_securitybypass" { - description = "ID(s) for the Security Bypass Client List" - type = list(string) - default = [] -} - -variable "client_lists_rcbypass" { - description = "ID(s) for the Rate Control Bypass Client List" - type = list(string) - default = [] -} - -variable "client_lists_pragmabypass" { - description = "ID(s) for the Pragma Bypass Client List" - type = list(string) - default = [] -} - -# ------------------------------------------------- -# Specifics for the Security Policy -# ------------------------------------------------- -# Security Policy Details -variable "policy_name" { - description = "Name for the security policy" - type = string -} - -variable "policy_prefix" { - description = "Prefix for the security policy" - type = string -} - -# Dos Protection -variable "dos_origin_error_action" { - description = "Action for the Origin Error" - type = string -} - -variable "dos_post_page_requests_action" { - description = "Action for the POST Page Requests" - type = string -} - -variable "dos_page_view_requests_action" { - description = "Action for the Page View Requests" - type = string -} - -variable "slow_post_action" { - description = "Action for the slow POST Protection" - type = string -} - -# Web Application Firewall (WAF) Actions -variable "waf_policy_action" { - description = "Action for WAF attack group: Web Policy Violation" - type = string - default = "alert" -} - -variable "waf_wat_action" { - description = "Action for WAF attack group: Web Attack Tool" - type = string - default = "alert" -} - -variable "waf_protocol_action" { - description = "Action for WAF attack group: Web Protocol Attack" - type = string - default = "alert" -} - -variable "waf_sql_action" { - description = "Action for WAF attack group: SQL Injection" - type = string - default = "alert" -} - -variable "waf_xss_action" { - description = "Action for WAF attack group: Cross Site Scripting" - type = string - default = "alert" -} - -variable "waf_cmd_action" { - description = "Action for WAF attack group: Command Injection" - type = string - default = "alert" -} - -variable "waf_lfi_action" { - description = "Action for WAF attack group: Local File Inclusion" - type = string - default = "alert" -} - -variable "waf_rfi_action" { - description = "Action for WAF attack group: Remote File Inclusion" - type = string - default = "alert" -} - -variable "waf_platform_action" { - description = "Action for WAF attack group: Web Platform Attack" - type = string - default = "alert" -} - -variable "penalty_box_action" { - description = "Action for WAF Penalty Box" - type = string - default = "alert" -} diff --git a/aap-asm/security/waf.tf b/aap-asm/security/waf.tf deleted file mode 100644 index cb20e97..0000000 --- a/aap-asm/security/waf.tf +++ /dev/null @@ -1,79 +0,0 @@ -resource "akamai_appsec_waf_mode" "tfdemo" { - config_id = akamai_appsec_configuration.config.config_id - security_policy_id = akamai_appsec_waf_protection.tfdemo.security_policy_id - mode = "ASE_AUTO" -} - -# WAF Attack Group Actions -resource "akamai_appsec_attack_group" "tfdemo_POLICY" { - config_id = akamai_appsec_configuration.config.config_id - security_policy_id = akamai_appsec_waf_protection.tfdemo.security_policy_id - attack_group = "POLICY" - attack_group_action = var.waf_policy_action -} - -resource "akamai_appsec_attack_group" "tfdemo_WAT" { - config_id = akamai_appsec_configuration.config.config_id - security_policy_id = akamai_appsec_waf_protection.tfdemo.security_policy_id - attack_group = "WAT" - attack_group_action = var.waf_wat_action -} - -resource "akamai_appsec_attack_group" "tfdemo_PROTOCOL" { - config_id = akamai_appsec_configuration.config.config_id - security_policy_id = akamai_appsec_waf_protection.tfdemo.security_policy_id - attack_group = "PROTOCOL" - attack_group_action = var.waf_protocol_action -} - -resource "akamai_appsec_attack_group" "tfdemo_SQL" { - config_id = akamai_appsec_configuration.config.config_id - security_policy_id = akamai_appsec_waf_protection.tfdemo.security_policy_id - attack_group = "SQL" - attack_group_action = var.waf_sql_action -} - -resource "akamai_appsec_attack_group" "tfdemo_XSS" { - config_id = akamai_appsec_configuration.config.config_id - security_policy_id = akamai_appsec_waf_protection.tfdemo.security_policy_id - attack_group = "XSS" - attack_group_action = var.waf_xss_action -} - -resource "akamai_appsec_attack_group" "tfdemo_CMD" { - config_id = akamai_appsec_configuration.config.config_id - security_policy_id = akamai_appsec_waf_protection.tfdemo.security_policy_id - attack_group = "CMD" - attack_group_action = var.waf_cmd_action -} - -resource "akamai_appsec_attack_group" "tfdemo_LFI" { - config_id = akamai_appsec_configuration.config.config_id - security_policy_id = akamai_appsec_waf_protection.tfdemo.security_policy_id - attack_group = "LFI" - attack_group_action = var.waf_lfi_action -} - -resource "akamai_appsec_attack_group" "tfdemo_RFI" { - config_id = akamai_appsec_configuration.config.config_id - security_policy_id = akamai_appsec_waf_protection.tfdemo.security_policy_id - attack_group = "RFI" - attack_group_action = var.waf_rfi_action -} - -resource "akamai_appsec_attack_group" "tfdemo_PLATFORM" { - config_id = akamai_appsec_configuration.config.config_id - security_policy_id = akamai_appsec_waf_protection.tfdemo.security_policy_id - attack_group = "PLATFORM" - attack_group_action = var.waf_platform_action -} - - -// Additionally WAF Rule Actions can be managed individually. For example -// CMD Injection Attack Detected (OS Commands 4) -# resource "akamai_appsec_rule" "tfdemo_aseweb_attackcmd_injection_950002" { -# config_id = akamai_appsec_configuration.config.config_id -# security_policy_id = akamai_appsec_waf_protection.tfdemo.security_policy_id -# rule_id = "950002" -# rule_action = "alert" -# }