cloudformation-custom-resources-python/examples/waf_rate_limit.rb at b11ca235b2380c9f762c3fb9cbcbd4c7bb801fcd · base2Services/cloudformation-custom-resources-python · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
# CFNDSL

Resource('RateLimitRule') {
    Type 'Custom::WAFRateLimit'
    Property('ServiceToken', FnGetAtt('WAFRateLimitFunction', 'Arn'))
    Property('EnvironmentName', Ref('EnvironmentName'))
    Property('Region', Ref("AWS::Region"))
    Property('Rate', 5000)
    Property('Negated', true)
    Property('Action', 'BLOCK')
    Property('IPSet', waf_ip_set(ip_blocks, ['rate_limited']))
    Property('WebACLId', Ref('WebACL'))
    Property('Priority', 2)
}

Resource('WAFRateLimitFunction') {
    Type 'AWS::Lambda::Function'
    Property('Code', './waf_rate_limit/')
    Property('Handler', 'handler.lambda_handler')
    Property('Runtime', 'python3.6')
    Property('Timeout', 60)
    Property('Role', FnGetAtt('WAFRole', 'Arn'))
}

Resource("WAFRole") {
    Type 'AWS::IAM::Role'
    Property('AssumeRolePolicyDocument', {
      Statement: [
        Effect: 'Allow',
        Principal: { Service: [ 'lambda.amazonaws.com' ] },
        Action: [ 'sts:AssumeRole' ]
      ]
    })
    Property('Path','/')
    Property('Policies', Policies.new.get_policies('waf'))
}