Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/epomatti/aws-apprunner-waf

AWS App Runner with WAF Web ACLs
https://github.com/epomatti/aws-apprunner-waf

aws aws-apprunner aws-ecr aws-security aws-waf iam sqli sqlinjection terraform waf

Last synced: about 2 months ago
JSON representation

AWS App Runner with WAF Web ACLs

Host: GitHub
URL: https://github.com/epomatti/aws-apprunner-waf
Owner: epomatti
License: mit
Created: 2022-08-07T23:26:16.000Z (over 2 years ago)
Default Branch: main
Last Pushed: 2024-01-23T12:26:46.000Z (12 months ago)
Last Synced: 2024-01-24T00:15:22.452Z (12 months ago)
Topics: aws, aws-apprunner, aws-ecr, aws-security, aws-waf, iam, sqli, sqlinjection, terraform, waf
Language: HCL
Homepage:
Size: 125 KB
Stars: 1
Watchers: 2
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# AWS App Runner + WAF & X-Ray

AWS App Runner using WAF rules.

Create the infrastructure:

```sh
terraform init
terraform apply -auto-approve
```

The default image will be NGINX.

## WAF

Customize WAF rules behavior:

```terraform
waf_allowed_country_codes = ["BR", "US"]
```

To test the rate-limiting rule, run a loop and verify in another terminal when it starts blocking. Example:

```sh
bash loop.sh https://.us-east-2.awsapprunner.com
```

Blocked requests should have a custom message:

## Body size

Following this [guideline][1], WAF is configured with `AWS Managed Rules Core` rule set to limit requests in the `/post` endpoint to 8,192 bytes. Requests with more than that will be blocked.

An exception is added to the `/put` route, which will allow requests to go through.

It is important to notice the limits of inspection as well:

> AWS WAF inspects the first 8 KB (8,192 bytes) of the request body. This is a hard service limit and can't be changed.

To teste different options, use the Insomnia project export.

## Optional (ECR)

To use ECR, configure the `.auto.tfvars` file before creating the resources:

```sh
bash ecrPushHttpbin.sh
```

Also, uncomment the ECR authentication:

```terraform
authentication_configuration {
access_role_arn = var.access_role_arn
}
```

Create the repository:

```sh
aws ecr create-repository --repository-name dotnet-app
```

Build and publish the image:

```
docker build . -t .dkr.ecr..amazonaws.com/dotnet-app:latest
aws ecr get-login-password --region | docker login --username AWS --password-stdin .dkr.ecr..amazonaws.com
docker push .dkr.ecr..amazonaws.com/dotnet-app:latest
```

### Local Testing

Running the .NET app:

```sh
dotnet restore
dotnet run
```

For local building the docker image:

```sh
docker build -t dotnet-app-image .
docker run --rm -p 80:80 --name dotnet-app dotnet-app-image
```

[1]: https://repost.aws/knowledge-center/waf-http-request-body-inspection