1- block: 2 - name: set yaml anchor 3 set_fact: 4 aws_connection_info: &aws_connection_info 5 aws_access_key: "{{ aws_access_key }}" 6 aws_secret_key: "{{ aws_secret_key }}" 7 security_token: "{{ security_token }}" 8 no_log: yes 9 10 11 ################################################## 12 # aws_waf_condition tests 13 ################################################## 14 15 - name: create WAF IP condition 16 aws_waf_condition: 17 name: "{{ resource_prefix }}_ip_condition" 18 filters: 19 - ip_address: "10.0.0.0/8" 20 type: ip 21 <<: *aws_connection_info 22 register: create_waf_ip_condition 23 24 - name: add an IP address to WAF condition 25 aws_waf_condition: 26 name: "{{ resource_prefix }}_ip_condition" 27 filters: 28 - ip_address: "10.0.0.0/8" 29 - ip_address: "192.168.0.0/24" 30 type: ip 31 <<: *aws_connection_info 32 register: add_ip_address_to_waf_condition 33 34 - name: check expected waf filter length 35 assert: 36 that: 37 - add_ip_address_to_waf_condition.condition.ip_set_descriptors|length == 2 38 39 - name: add an IP address to WAF condition (rely on purge_filters defaulting to false) 40 aws_waf_condition: 41 name: "{{ resource_prefix }}_ip_condition" 42 filters: 43 - ip_address: "192.168.10.0/24" 44 type: ip 45 <<: *aws_connection_info 46 register: add_ip_address_to_waf_condition_no_purge 47 48 - name: check waf filter length has increased 49 assert: 50 that: 51 - add_ip_address_to_waf_condition_no_purge.condition.ip_set_descriptors|length == 3 52 - add_ip_address_to_waf_condition_no_purge.changed 53 54 - name: add an IP address to WAF condition (set purge_filters) 55 aws_waf_condition: 56 name: "{{ resource_prefix }}_ip_condition" 57 filters: 58 - ip_address: "192.168.20.0/24" 59 purge_filters: yes 60 type: ip 61 <<: *aws_connection_info 62 register: add_ip_address_to_waf_condition_purge 63 64 - name: check waf filter length has reduced 65 assert: 66 that: 67 - add_ip_address_to_waf_condition_purge.condition.ip_set_descriptors|length == 1 68 - add_ip_address_to_waf_condition_purge.changed 69 70 - name: create WAF byte condition 71 aws_waf_condition: 72 name: "{{ resource_prefix }}_byte_condition" 73 filters: 74 - field_to_match: header 75 position: STARTS_WITH 76 target_string: Hello 77 header: Content-type 78 type: byte 79 <<: *aws_connection_info 80 register: create_waf_byte_condition 81 82 - name: recreate WAF byte condition 83 aws_waf_condition: 84 name: "{{ resource_prefix }}_byte_condition" 85 filters: 86 - field_to_match: header 87 position: STARTS_WITH 88 target_string: Hello 89 header: Content-type 90 type: byte 91 <<: *aws_connection_info 92 register: recreate_waf_byte_condition 93 94 - name: assert that no change was made 95 assert: 96 that: 97 - not recreate_waf_byte_condition.changed 98 99 - name: create WAF geo condition 100 aws_waf_condition: 101 name: "{{ resource_prefix }}_geo_condition" 102 filters: 103 - country: US 104 - country: AU 105 - country: AT 106 type: geo 107 <<: *aws_connection_info 108 register: create_waf_geo_condition 109 110 - name: create WAF size condition 111 aws_waf_condition: 112 name: "{{ resource_prefix }}_size_condition" 113 filters: 114 - field_to_match: query_string 115 size: 300 116 comparison: GT 117 type: size 118 <<: *aws_connection_info 119 register: create_waf_size_condition 120 121 - name: create WAF sql condition 122 aws_waf_condition: 123 name: "{{ resource_prefix }}_sql_condition" 124 filters: 125 - field_to_match: query_string 126 transformation: url_decode 127 type: sql 128 <<: *aws_connection_info 129 register: create_waf_sql_condition 130 131 - name: create WAF xss condition 132 aws_waf_condition: 133 name: "{{ resource_prefix }}_xss_condition" 134 filters: 135 - field_to_match: query_string 136 transformation: url_decode 137 type: xss 138 <<: *aws_connection_info 139 register: create_waf_xss_condition 140 141 - name: create WAF regex condition 142 aws_waf_condition: 143 name: "{{ resource_prefix }}_regex_condition" 144 filters: 145 - field_to_match: query_string 146 regex_pattern: 147 name: greetings 148 regex_strings: 149 - '[hH]ello' 150 - '^Hi there' 151 - '.*Good Day to You' 152 type: regex 153 <<: *aws_connection_info 154 register: create_waf_regex_condition 155 156 - name: create a second WAF regex condition with the same regex 157 aws_waf_condition: 158 name: "{{ resource_prefix }}_regex_condition_part_2" 159 filters: 160 - field_to_match: header 161 header: cookie 162 regex_pattern: 163 name: greetings 164 regex_strings: 165 - '[hH]ello' 166 - '^Hi there' 167 - '.*Good Day to You' 168 type: regex 169 <<: *aws_connection_info 170 register: create_second_waf_regex_condition 171 172 - name: check that the pattern is shared 173 assert: 174 that: 175 - > 176 create_waf_regex_condition.condition.regex_match_tuples[0].regex_pattern_set_id == 177 create_second_waf_regex_condition.condition.regex_match_tuples[0].regex_pattern_set_id 178 - create_second_waf_regex_condition.changed 179 180 181 - name: delete first WAF regex condition 182 aws_waf_condition: 183 name: "{{ resource_prefix }}_regex_condition" 184 filters: 185 - field_to_match: query_string 186 regex_pattern: 187 name: greetings 188 regex_strings: 189 - '[hH]ello' 190 - '^Hi there' 191 - '.*Good Day to You' 192 type: regex 193 state: absent 194 <<: *aws_connection_info 195 register: delete_waf_regex_condition 196 197 - name: delete second WAF regex condition 198 aws_waf_condition: 199 name: "{{ resource_prefix }}_regex_condition_part_2" 200 filters: 201 - field_to_match: header 202 header: cookie 203 regex_pattern: 204 name: greetings 205 regex_strings: 206 - '[hH]ello' 207 - '^Hi there' 208 - '.*Good Day to You' 209 type: regex 210 state: absent 211 <<: *aws_connection_info 212 register: delete_second_waf_regex_condition 213 214 - name: create WAF regex condition 215 aws_waf_condition: 216 name: "{{ resource_prefix }}_regex_condition" 217 filters: 218 - field_to_match: query_string 219 regex_pattern: 220 name: greetings 221 regex_strings: 222 - '[hH]ello' 223 - '^Hi there' 224 - '.*Good Day to You' 225 type: regex 226 <<: *aws_connection_info 227 register: recreate_waf_regex_condition 228 229 - name: check that a new pattern is created (because the first pattern should have been deleted once unused) 230 assert: 231 that: 232 - > 233 recreate_waf_regex_condition.condition.regex_match_tuples[0].regex_pattern_set_id != 234 create_waf_regex_condition.condition.regex_match_tuples[0].regex_pattern_set_id 235 236 - name: create WAF Regional IP condition 237 aws_waf_condition: 238 name: "{{ resource_prefix }}_ip_condition" 239 filters: 240 - ip_address: "10.0.0.0/8" 241 type: ip 242 region: "{{ aws_region }}" 243 waf_regional: true 244 <<: *aws_connection_info 245 register: create_waf_regional_ip_condition 246 247 - name: add an IP address to WAF Regional condition 248 aws_waf_condition: 249 name: "{{ resource_prefix }}_ip_condition" 250 filters: 251 - ip_address: "10.0.0.0/8" 252 - ip_address: "192.168.0.0/24" 253 type: ip 254 region: "{{ aws_region }}" 255 waf_regional: true 256 <<: *aws_connection_info 257 register: add_ip_address_to_waf_regional_condition 258 259 - name: check expected WAF Regional filter length 260 assert: 261 that: 262 - add_ip_address_to_waf_regional_condition.condition.ip_set_descriptors|length == 2 263 264 - name: add an IP address to WAF Regional condition (rely on purge_filters defaulting to false) 265 aws_waf_condition: 266 name: "{{ resource_prefix }}_ip_condition" 267 filters: 268 - ip_address: "192.168.10.0/24" 269 type: ip 270 region: "{{ aws_region }}" 271 waf_regional: true 272 <<: *aws_connection_info 273 register: add_ip_address_to_waf_regional_condition_no_purge 274 275 - name: check WAF Regional filter length has increased 276 assert: 277 that: 278 - add_ip_address_to_waf_regional_condition_no_purge.condition.ip_set_descriptors|length == 3 279 - add_ip_address_to_waf_regional_condition_no_purge.changed 280 281 - name: add an IP address to WAF Regional condition (set purge_filters) 282 aws_waf_condition: 283 name: "{{ resource_prefix }}_ip_condition" 284 filters: 285 - ip_address: "192.168.20.0/24" 286 purge_filters: yes 287 type: ip 288 region: "{{ aws_region }}" 289 waf_regional: true 290 <<: *aws_connection_info 291 register: add_ip_address_to_waf_regional_condition_purge 292 293 - name: check WAF Regional filter length has reduced 294 assert: 295 that: 296 - add_ip_address_to_waf_regional_condition_purge.condition.ip_set_descriptors|length == 1 297 - add_ip_address_to_waf_regional_condition_purge.changed 298 299 - name: create WAF Regional byte condition 300 aws_waf_condition: 301 name: "{{ resource_prefix }}_byte_condition" 302 filters: 303 - field_to_match: header 304 position: STARTS_WITH 305 target_string: Hello 306 header: Content-type 307 type: byte 308 region: "{{ aws_region }}" 309 waf_regional: true 310 <<: *aws_connection_info 311 register: create_waf_regional_byte_condition 312 313 - name: recreate WAF Regional byte condition 314 aws_waf_condition: 315 name: "{{ resource_prefix }}_byte_condition" 316 filters: 317 - field_to_match: header 318 position: STARTS_WITH 319 target_string: Hello 320 header: Content-type 321 type: byte 322 region: "{{ aws_region }}" 323 waf_regional: true 324 <<: *aws_connection_info 325 register: recreate_waf_regional_byte_condition 326 327 - name: assert that no change was made 328 assert: 329 that: 330 - not recreate_waf_regional_byte_condition.changed 331 332 - name: create WAF Regional geo condition 333 aws_waf_condition: 334 name: "{{ resource_prefix }}_geo_condition" 335 filters: 336 - country: US 337 - country: AU 338 - country: AT 339 type: geo 340 region: "{{ aws_region }}" 341 waf_regional: true 342 <<: *aws_connection_info 343 register: create_waf_regional_geo_condition 344 345 - name: create WAF Regional size condition 346 aws_waf_condition: 347 name: "{{ resource_prefix }}_size_condition" 348 filters: 349 - field_to_match: query_string 350 size: 300 351 comparison: GT 352 type: size 353 region: "{{ aws_region }}" 354 waf_regional: true 355 <<: *aws_connection_info 356 register: create_waf_regional_size_condition 357 358 - name: create WAF Regional sql condition 359 aws_waf_condition: 360 name: "{{ resource_prefix }}_sql_condition" 361 filters: 362 - field_to_match: query_string 363 transformation: url_decode 364 type: sql 365 region: "{{ aws_region }}" 366 waf_regional: true 367 <<: *aws_connection_info 368 register: create_waf_regional_sql_condition 369 370 - name: create WAF Regional xss condition 371 aws_waf_condition: 372 name: "{{ resource_prefix }}_xss_condition" 373 filters: 374 - field_to_match: query_string 375 transformation: url_decode 376 type: xss 377 region: "{{ aws_region }}" 378 waf_regional: true 379 <<: *aws_connection_info 380 register: create_waf_regional_xss_condition 381 382 - name: create WAF Regional regex condition 383 aws_waf_condition: 384 name: "{{ resource_prefix }}_regex_condition" 385 filters: 386 - field_to_match: query_string 387 regex_pattern: 388 name: greetings 389 regex_strings: 390 - '[hH]ello' 391 - '^Hi there' 392 - '.*Good Day to You' 393 type: regex 394 region: "{{ aws_region }}" 395 waf_regional: true 396 <<: *aws_connection_info 397 register: create_waf_regional_regex_condition 398 399 - name: create a second WAF Regional regex condition with the same regex 400 aws_waf_condition: 401 name: "{{ resource_prefix }}_regex_condition_part_2" 402 filters: 403 - field_to_match: header 404 header: cookie 405 regex_pattern: 406 name: greetings 407 regex_strings: 408 - '[hH]ello' 409 - '^Hi there' 410 - '.*Good Day to You' 411 type: regex 412 region: "{{ aws_region }}" 413 waf_regional: true 414 <<: *aws_connection_info 415 register: create_second_waf_regional_regex_condition 416 417 - name: check that the pattern is shared 418 assert: 419 that: 420 - > 421 create_waf_regional_regex_condition.condition.regex_match_tuples[0].regex_pattern_set_id == 422 create_second_waf_regional_regex_condition.condition.regex_match_tuples[0].regex_pattern_set_id 423 - create_second_waf_regional_regex_condition.changed 424 425 426 - name: delete first WAF Regional regex condition 427 aws_waf_condition: 428 name: "{{ resource_prefix }}_regex_condition" 429 filters: 430 - field_to_match: query_string 431 regex_pattern: 432 name: greetings 433 regex_strings: 434 - '[hH]ello' 435 - '^Hi there' 436 - '.*Good Day to You' 437 type: regex 438 state: absent 439 region: "{{ aws_region }}" 440 waf_regional: true 441 <<: *aws_connection_info 442 register: delete_waf_regional_regex_condition 443 444 - name: delete second WAF Regional regex condition 445 aws_waf_condition: 446 name: "{{ resource_prefix }}_regex_condition_part_2" 447 filters: 448 - field_to_match: header 449 header: cookie 450 regex_pattern: 451 name: greetings 452 regex_strings: 453 - '[hH]ello' 454 - '^Hi there' 455 - '.*Good Day to You' 456 type: regex 457 state: absent 458 region: "{{ aws_region }}" 459 waf_regional: true 460 <<: *aws_connection_info 461 register: delete_second_waf_regional_regex_condition 462 463 - name: create WAF Regional regex condition 464 aws_waf_condition: 465 name: "{{ resource_prefix }}_regex_condition" 466 filters: 467 - field_to_match: query_string 468 regex_pattern: 469 name: greetings 470 regex_strings: 471 - '[hH]ello' 472 - '^Hi there' 473 - '.*Good Day to You' 474 type: regex 475 region: "{{ aws_region }}" 476 waf_regional: true 477 <<: *aws_connection_info 478 register: recreate_waf_regional_regex_condition 479 480 - name: check that a new pattern is created (because the first pattern should have been deleted once unused) 481 assert: 482 that: 483 - > 484 recreate_waf_regional_regex_condition.condition.regex_match_tuples[0].regex_pattern_set_id != 485 create_waf_regional_regex_condition.condition.regex_match_tuples[0].regex_pattern_set_id 486 487 ################################################## 488 # aws_waf_rule tests 489 ################################################## 490 491 - name: create WAF rule 492 aws_waf_rule: 493 name: "{{ resource_prefix }}_rule" 494 conditions: 495 - name: "{{ resource_prefix }}_regex_condition" 496 type: regex 497 negated: no 498 - name: "{{ resource_prefix }}_geo_condition" 499 type: geo 500 negated: no 501 - name: "{{ resource_prefix }}_byte_condition" 502 type: byte 503 negated: no 504 purge_conditions: yes 505 <<: *aws_connection_info 506 register: create_aws_waf_rule 507 508 - name: check WAF rule 509 assert: 510 that: 511 - create_aws_waf_rule.changed 512 - create_aws_waf_rule.rule.predicates|length == 3 513 514 - name: recreate WAF rule 515 aws_waf_rule: 516 name: "{{ resource_prefix }}_rule" 517 conditions: 518 - name: "{{ resource_prefix }}_regex_condition" 519 type: regex 520 negated: no 521 - name: "{{ resource_prefix }}_geo_condition" 522 type: geo 523 negated: no 524 - name: "{{ resource_prefix }}_byte_condition" 525 type: byte 526 negated: no 527 <<: *aws_connection_info 528 register: create_aws_waf_rule 529 530 - name: check WAF rule did not change 531 assert: 532 that: 533 - not create_aws_waf_rule.changed 534 - create_aws_waf_rule.rule.predicates|length == 3 535 536 - name: add further WAF rules relying on purge_conditions defaulting to false 537 aws_waf_rule: 538 name: "{{ resource_prefix }}_rule" 539 conditions: 540 - name: "{{ resource_prefix }}_ip_condition" 541 type: ip 542 negated: yes 543 - name: "{{ resource_prefix }}_sql_condition" 544 type: sql 545 negated: no 546 - name: "{{ resource_prefix }}_xss_condition" 547 type: xss 548 negated: no 549 <<: *aws_connection_info 550 register: add_conditions_to_aws_waf_rule 551 552 - name: check WAF rule added rules 553 assert: 554 that: 555 - add_conditions_to_aws_waf_rule.changed 556 - add_conditions_to_aws_waf_rule.rule.predicates|length == 6 557 558 - name: remove some rules through purging conditions 559 aws_waf_rule: 560 name: "{{ resource_prefix }}_rule" 561 conditions: 562 - name: "{{ resource_prefix }}_ip_condition" 563 type: ip 564 negated: yes 565 - name: "{{ resource_prefix }}_xss_condition" 566 type: xss 567 negated: no 568 - name: "{{ resource_prefix }}_byte_condition" 569 type: byte 570 negated: no 571 - name: "{{ resource_prefix }}_size_condition" 572 type: size 573 negated: no 574 purge_conditions: yes 575 <<: *aws_connection_info 576 register: add_and_remove_waf_rule_conditions 577 578 - name: check WAF rules were updated as expected 579 assert: 580 that: 581 - add_and_remove_waf_rule_conditions.changed 582 - add_and_remove_waf_rule_conditions.rule.predicates|length == 4 583 584 - name: attempt to remove an in use condition 585 aws_waf_condition: 586 name: "{{ resource_prefix }}_size_condition" 587 type: size 588 state: absent 589 <<: *aws_connection_info 590 ignore_errors: yes 591 register: remove_in_use_condition 592 593 - name: check failure was sensible 594 assert: 595 that: 596 - remove_in_use_condition.failed 597 - "'Condition {{ resource_prefix }}_size_condition is in use' in remove_in_use_condition.msg" 598 599 - name: create WAF Regional rule 600 aws_waf_rule: 601 name: "{{ resource_prefix }}_rule" 602 conditions: 603 - name: "{{ resource_prefix }}_regex_condition" 604 type: regex 605 negated: no 606 - name: "{{ resource_prefix }}_geo_condition" 607 type: geo 608 negated: no 609 - name: "{{ resource_prefix }}_byte_condition" 610 type: byte 611 negated: no 612 purge_conditions: yes 613 region: "{{ aws_region }}" 614 waf_regional: true 615 <<: *aws_connection_info 616 register: create_aws_waf_regional_rule 617 618 - name: check WAF Regional rule 619 assert: 620 that: 621 - create_aws_waf_regional_rule.changed 622 - create_aws_waf_regional_rule.rule.predicates|length == 3 623 624 - name: recreate WAF Regional rule 625 aws_waf_rule: 626 name: "{{ resource_prefix }}_rule" 627 conditions: 628 - name: "{{ resource_prefix }}_regex_condition" 629 type: regex 630 negated: no 631 - name: "{{ resource_prefix }}_geo_condition" 632 type: geo 633 negated: no 634 - name: "{{ resource_prefix }}_byte_condition" 635 type: byte 636 negated: no 637 region: "{{ aws_region }}" 638 waf_regional: true 639 <<: *aws_connection_info 640 register: create_aws_waf_regional_rule 641 642 - name: check WAF Regional rule did not change 643 assert: 644 that: 645 - not create_aws_waf_regional_rule.changed 646 - create_aws_waf_regional_rule.rule.predicates|length == 3 647 648 - name: add further WAF Regional rules relying on purge_conditions defaulting to false 649 aws_waf_rule: 650 name: "{{ resource_prefix }}_rule" 651 conditions: 652 - name: "{{ resource_prefix }}_ip_condition" 653 type: ip 654 negated: yes 655 - name: "{{ resource_prefix }}_sql_condition" 656 type: sql 657 negated: no 658 - name: "{{ resource_prefix }}_xss_condition" 659 type: xss 660 negated: no 661 region: "{{ aws_region }}" 662 waf_regional: true 663 <<: *aws_connection_info 664 register: add_conditions_to_aws_waf_regional_rule 665 666 - name: check WAF Regional rule added rules 667 assert: 668 that: 669 - add_conditions_to_aws_waf_regional_rule.changed 670 - add_conditions_to_aws_waf_regional_rule.rule.predicates|length == 6 671 672 - name: remove some rules through purging conditions 673 aws_waf_rule: 674 name: "{{ resource_prefix }}_rule" 675 conditions: 676 - name: "{{ resource_prefix }}_ip_condition" 677 type: ip 678 negated: yes 679 - name: "{{ resource_prefix }}_xss_condition" 680 type: xss 681 negated: no 682 - name: "{{ resource_prefix }}_byte_condition" 683 type: byte 684 negated: no 685 - name: "{{ resource_prefix }}_size_condition" 686 type: size 687 negated: no 688 purge_conditions: yes 689 region: "{{ aws_region }}" 690 waf_regional: true 691 <<: *aws_connection_info 692 register: add_and_remove_waf_regional_rule_conditions 693 694 - name: check WAF Regional rules were updated as expected 695 assert: 696 that: 697 - add_and_remove_waf_regional_rule_conditions.changed 698 - add_and_remove_waf_regional_rule_conditions.rule.predicates|length == 4 699 700 - name: attempt to remove an WAF Regional in use condition 701 aws_waf_condition: 702 name: "{{ resource_prefix }}_size_condition" 703 type: size 704 state: absent 705 region: "{{ aws_region }}" 706 waf_regional: true 707 <<: *aws_connection_info 708 ignore_errors: yes 709 register: remove_in_use_condition 710 711 - name: check failure was sensible 712 assert: 713 that: 714 - remove_in_use_condition.failed 715 - "'Condition {{ resource_prefix }}_size_condition is in use' in remove_in_use_condition.msg" 716 717 ################################################## 718 # aws_waf_web_acl tests 719 ################################################## 720 721 - name: create web ACL 722 aws_waf_web_acl: 723 name: "{{ resource_prefix }}_web_acl" 724 rules: 725 - name: "{{ resource_prefix }}_rule" 726 priority: 1 727 action: block 728 default_action: block 729 purge_rules: yes 730 state: present 731 <<: *aws_connection_info 732 register: create_web_acl 733 734 - name: recreate web acl 735 aws_waf_web_acl: 736 name: "{{ resource_prefix }}_web_acl" 737 rules: 738 - name: "{{ resource_prefix }}_rule" 739 priority: 1 740 action: block 741 default_action: block 742 state: present 743 <<: *aws_connection_info 744 register: recreate_web_acl 745 746 - name: check web acl was not changed 747 assert: 748 that: 749 - not recreate_web_acl.changed 750 - recreate_web_acl.web_acl.rules|length == 1 751 752 - name: create a second WAF rule 753 aws_waf_rule: 754 name: "{{ resource_prefix }}_rule_2" 755 conditions: 756 - name: "{{ resource_prefix }}_ip_condition" 757 type: ip 758 negated: yes 759 - name: "{{ resource_prefix }}_sql_condition" 760 type: sql 761 negated: no 762 - name: "{{ resource_prefix }}_xss_condition" 763 type: xss 764 negated: no 765 <<: *aws_connection_info 766 767 - name: add a new rule to the web acl 768 aws_waf_web_acl: 769 name: "{{ resource_prefix }}_web_acl" 770 rules: 771 - name: "{{ resource_prefix }}_rule_2" 772 priority: 2 773 action: allow 774 default_action: block 775 state: present 776 <<: *aws_connection_info 777 register: web_acl_add_rule 778 779 - name: check that rule was added to the web acl 780 assert: 781 that: 782 - web_acl_add_rule.changed 783 - web_acl_add_rule.web_acl.rules|length == 2 784 785 - name: use purge rules to remove the first rule 786 aws_waf_web_acl: 787 name: "{{ resource_prefix }}_web_acl" 788 rules: 789 - name: "{{ resource_prefix }}_rule_2" 790 priority: 2 791 action: allow 792 purge_rules: yes 793 default_action: block 794 state: present 795 <<: *aws_connection_info 796 register: web_acl_add_rule 797 798 - name: check that rule was removed from the web acl 799 assert: 800 that: 801 - web_acl_add_rule.changed 802 - web_acl_add_rule.web_acl.rules|length == 1 803 804 - name: swap two rules of same priority 805 aws_waf_web_acl: 806 name: "{{ resource_prefix }}_web_acl" 807 rules: 808 - name: "{{ resource_prefix }}_rule" 809 priority: 2 810 action: allow 811 purge_rules: yes 812 default_action: block 813 state: present 814 <<: *aws_connection_info 815 register: web_acl_swap_rule 816 817 - name: attempt to delete the inuse first rule 818 aws_waf_rule: 819 name: "{{ resource_prefix }}_rule" 820 state: absent 821 <<: *aws_connection_info 822 ignore_errors: yes 823 register: remove_inuse_rule 824 825 - name: check that removing in-use rule fails 826 assert: 827 that: 828 - remove_inuse_rule.failed 829 830 - name: delete the web acl 831 aws_waf_web_acl: 832 name: "{{ resource_prefix }}_web_acl" 833 state: absent 834 <<: *aws_connection_info 835 register: delete_web_acl 836 837 - name: check that web acl was deleted 838 assert: 839 that: 840 - delete_web_acl.changed 841 - not delete_web_acl.web_acl 842 843 - name: delete the no longer in use first rule 844 aws_waf_rule: 845 name: "{{ resource_prefix }}_rule" 846 state: absent 847 <<: *aws_connection_info 848 849 - name: create WAF Regional web ACL 850 aws_waf_web_acl: 851 name: "{{ resource_prefix }}_web_acl" 852 rules: 853 - name: "{{ resource_prefix }}_rule" 854 priority: 1 855 action: block 856 default_action: block 857 purge_rules: yes 858 state: present 859 region: "{{ aws_region }}" 860 waf_regional: true 861 <<: *aws_connection_info 862 register: create_waf_regional_web_acl 863 864 - name: recreate WAF Regional web acl 865 aws_waf_web_acl: 866 name: "{{ resource_prefix }}_web_acl" 867 rules: 868 - name: "{{ resource_prefix }}_rule" 869 priority: 1 870 action: block 871 default_action: block 872 state: present 873 region: "{{ aws_region }}" 874 waf_regional: true 875 <<: *aws_connection_info 876 register: recreate_waf_regional_web_acl 877 878 - name: check WAF Regional web acl was not changed 879 assert: 880 that: 881 - not recreate_waf_regional_web_acl.changed 882 - recreate_waf_regional_web_acl.web_acl.rules|length == 1 883 884 - name: create a second WAF Regional rule 885 aws_waf_rule: 886 name: "{{ resource_prefix }}_rule_2" 887 conditions: 888 - name: "{{ resource_prefix }}_ip_condition" 889 type: ip 890 negated: yes 891 - name: "{{ resource_prefix }}_sql_condition" 892 type: sql 893 negated: no 894 - name: "{{ resource_prefix }}_xss_condition" 895 type: xss 896 negated: no 897 region: "{{ aws_region }}" 898 waf_regional: true 899 <<: *aws_connection_info 900 901 - name: add a new rule to the WAF Regional web acl 902 aws_waf_web_acl: 903 name: "{{ resource_prefix }}_web_acl" 904 rules: 905 - name: "{{ resource_prefix }}_rule_2" 906 priority: 2 907 action: allow 908 default_action: block 909 state: present 910 region: "{{ aws_region }}" 911 waf_regional: true 912 <<: *aws_connection_info 913 register: waf_regional_web_acl_add_rule 914 915 - name: check that rule was added to the WAF Regional web acl 916 assert: 917 that: 918 - waf_regional_web_acl_add_rule.changed 919 - waf_regional_web_acl_add_rule.web_acl.rules|length == 2 920 921 - name: use purge rules to remove the WAF Regional first rule 922 aws_waf_web_acl: 923 name: "{{ resource_prefix }}_web_acl" 924 rules: 925 - name: "{{ resource_prefix }}_rule_2" 926 priority: 2 927 action: allow 928 purge_rules: yes 929 default_action: block 930 state: present 931 region: "{{ aws_region }}" 932 waf_regional: true 933 <<: *aws_connection_info 934 register: waf_regional_web_acl_add_rule 935 936 - name: check that rule was removed from the WAF Regional web acl 937 assert: 938 that: 939 - waf_regional_web_acl_add_rule.changed 940 - waf_regional_web_acl_add_rule.web_acl.rules|length == 1 941 942 - name: swap two WAF Regional rules of same priority 943 aws_waf_web_acl: 944 name: "{{ resource_prefix }}_web_acl" 945 rules: 946 - name: "{{ resource_prefix }}_rule" 947 priority: 2 948 action: allow 949 purge_rules: yes 950 default_action: block 951 state: present 952 region: "{{ aws_region }}" 953 waf_regional: true 954 <<: *aws_connection_info 955 register: waf_regional_web_acl_swap_rule 956 957 - name: attempt to delete the WAF Regional inuse first rule 958 aws_waf_rule: 959 name: "{{ resource_prefix }}_rule" 960 state: absent 961 region: "{{ aws_region }}" 962 waf_regional: true 963 <<: *aws_connection_info 964 ignore_errors: yes 965 register: remove_waf_regional_inuse_rule 966 967 - name: check that removing WAF Regional in-use rule fails 968 assert: 969 that: 970 - remove_waf_regional_inuse_rule.failed 971 972 - name: delete the WAF Regional web acl 973 aws_waf_web_acl: 974 name: "{{ resource_prefix }}_web_acl" 975 state: absent 976 region: "{{ aws_region }}" 977 waf_regional: true 978 <<: *aws_connection_info 979 register: delete_waf_regional_web_acl 980 981 - name: check that WAF Regional web acl was deleted 982 assert: 983 that: 984 - delete_waf_regional_web_acl.changed 985 - not delete_waf_regional_web_acl.web_acl 986 987 - name: delete the no longer in use WAF Regional first rule 988 aws_waf_rule: 989 name: "{{ resource_prefix }}_rule" 990 state: absent 991 region: "{{ aws_region }}" 992 waf_regional: true 993 <<: *aws_connection_info 994 995 ################################################## 996 # TEARDOWN 997 ################################################## 998 999 always: 1000 - debug: 1001 msg: "****** TEARDOWN STARTS HERE ******" 1002 1003 - name: delete the web acl 1004 aws_waf_web_acl: 1005 name: "{{ resource_prefix }}_web_acl" 1006 state: absent 1007 purge_rules: yes 1008 <<: *aws_connection_info 1009 ignore_errors: yes 1010 1011 - name: remove second WAF rule 1012 aws_waf_rule: 1013 name: "{{ resource_prefix }}_rule_2" 1014 state: absent 1015 purge_conditions: yes 1016 <<: *aws_connection_info 1017 ignore_errors: yes 1018 1019 - name: remove WAF rule 1020 aws_waf_rule: 1021 name: "{{ resource_prefix }}_rule" 1022 state: absent 1023 purge_conditions: yes 1024 <<: *aws_connection_info 1025 ignore_errors: yes 1026 1027 - name: remove XSS condition 1028 aws_waf_condition: 1029 name: "{{ resource_prefix }}_xss_condition" 1030 type: xss 1031 state: absent 1032 <<: *aws_connection_info 1033 ignore_errors: yes 1034 1035 - name: remove SQL condition 1036 aws_waf_condition: 1037 name: "{{ resource_prefix }}_sql_condition" 1038 type: sql 1039 state: absent 1040 <<: *aws_connection_info 1041 ignore_errors: yes 1042 1043 - name: remove size condition 1044 aws_waf_condition: 1045 name: "{{ resource_prefix }}_size_condition" 1046 type: size 1047 state: absent 1048 <<: *aws_connection_info 1049 ignore_errors: yes 1050 1051 - name: remove geo condition 1052 aws_waf_condition: 1053 name: "{{ resource_prefix }}_geo_condition" 1054 type: geo 1055 state: absent 1056 <<: *aws_connection_info 1057 ignore_errors: yes 1058 1059 - name: remove byte condition 1060 aws_waf_condition: 1061 name: "{{ resource_prefix }}_byte_condition" 1062 type: byte 1063 state: absent 1064 <<: *aws_connection_info 1065 ignore_errors: yes 1066 1067 - name: remove ip address condition 1068 aws_waf_condition: 1069 name: "{{ resource_prefix }}_ip_condition" 1070 type: ip 1071 state: absent 1072 <<: *aws_connection_info 1073 ignore_errors: yes 1074 1075 - name: remove regex part 2 condition 1076 aws_waf_condition: 1077 name: "{{ resource_prefix }}_regex_condition_part_2" 1078 type: regex 1079 state: absent 1080 <<: *aws_connection_info 1081 ignore_errors: yes 1082 1083 - name: remove first regex condition 1084 aws_waf_condition: 1085 name: "{{ resource_prefix }}_regex_condition" 1086 type: regex 1087 state: absent 1088 <<: *aws_connection_info 1089 ignore_errors: yes 1090 1091 - name: delete the WAF Regional web acl 1092 aws_waf_web_acl: 1093 name: "{{ resource_prefix }}_web_acl" 1094 state: absent 1095 purge_rules: yes 1096 region: "{{ aws_region }}" 1097 waf_regional: true 1098 <<: *aws_connection_info 1099 ignore_errors: yes 1100 1101 - name: remove second WAF Regional rule 1102 aws_waf_rule: 1103 name: "{{ resource_prefix }}_rule_2" 1104 state: absent 1105 purge_conditions: yes 1106 region: "{{ aws_region }}" 1107 waf_regional: true 1108 <<: *aws_connection_info 1109 ignore_errors: yes 1110 1111 - name: remove WAF Regional rule 1112 aws_waf_rule: 1113 name: "{{ resource_prefix }}_rule" 1114 state: absent 1115 purge_conditions: yes 1116 region: "{{ aws_region }}" 1117 waf_regional: true 1118 <<: *aws_connection_info 1119 ignore_errors: yes 1120 1121 - name: remove WAF Regional XSS condition 1122 aws_waf_condition: 1123 name: "{{ resource_prefix }}_xss_condition" 1124 type: xss 1125 state: absent 1126 region: "{{ aws_region }}" 1127 waf_regional: true 1128 <<: *aws_connection_info 1129 ignore_errors: yes 1130 1131 - name: remove WAF Regional SQL condition 1132 aws_waf_condition: 1133 name: "{{ resource_prefix }}_sql_condition" 1134 type: sql 1135 state: absent 1136 region: "{{ aws_region }}" 1137 waf_regional: true 1138 <<: *aws_connection_info 1139 ignore_errors: yes 1140 1141 - name: remove WAF Regional size condition 1142 aws_waf_condition: 1143 name: "{{ resource_prefix }}_size_condition" 1144 type: size 1145 state: absent 1146 region: "{{ aws_region }}" 1147 waf_regional: true 1148 <<: *aws_connection_info 1149 ignore_errors: yes 1150 1151 - name: remove WAF Regional geo condition 1152 aws_waf_condition: 1153 name: "{{ resource_prefix }}_geo_condition" 1154 type: geo 1155 state: absent 1156 region: "{{ aws_region }}" 1157 waf_regional: true 1158 <<: *aws_connection_info 1159 ignore_errors: yes 1160 1161 - name: remove WAF Regional byte condition 1162 aws_waf_condition: 1163 name: "{{ resource_prefix }}_byte_condition" 1164 type: byte 1165 state: absent 1166 region: "{{ aws_region }}" 1167 waf_regional: true 1168 <<: *aws_connection_info 1169 ignore_errors: yes 1170 1171 - name: remove WAF Regional ip address condition 1172 aws_waf_condition: 1173 name: "{{ resource_prefix }}_ip_condition" 1174 type: ip 1175 state: absent 1176 region: "{{ aws_region }}" 1177 waf_regional: true 1178 <<: *aws_connection_info 1179 ignore_errors: yes 1180 1181 - name: remove WAF Regional regex part 2 condition 1182 aws_waf_condition: 1183 name: "{{ resource_prefix }}_regex_condition_part_2" 1184 type: regex 1185 state: absent 1186 region: "{{ aws_region }}" 1187 waf_regional: true 1188 <<: *aws_connection_info 1189 ignore_errors: yes 1190 1191 - name: remove first WAF Regional regex condition 1192 aws_waf_condition: 1193 name: "{{ resource_prefix }}_regex_condition" 1194 type: regex 1195 state: absent 1196 region: "{{ aws_region }}" 1197 waf_regional: true 1198 <<: *aws_connection_info 1199 ignore_errors: yes 1200