codeenigma · matej5 · Sep 27, 2024 · Sep 27, 2024 · Sep 27, 2024
diff --git a/roles/aws/aws_acl/defaults/main.yml b/roles/aws/aws_acl/defaults/main.yml
@@ -1,33 +1,24 @@
 ---
 aws_acl:
-  - name: example_master_acl
-    description: "Master ACL for CF"
+  - name: "{{ _infra_name }}_main_acl"
+    description: "ACL rules from ce-provision-config"
     scope: CLOUDFRONT # Can be REGIONAL for ALBs
     region: "us-east-1"
-    tags: {}
+    tags: "{{ _aws_tags }}"
     rules:
       rate_limit:
-        value: 200 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking
+        value: 600 # set to 0 to skip rate limit rule, set to a value to set how many requests to allow in period before blocking
         priority: 2 # can be float with 1 decimal place
       ip_sets:
-        - rule_name: "Allowed-ips"
-          set_name: "Office-IPs"
-          description: "List of IPs from office"
+        - rule_name: "Allowed-IPs-rule"
+          set_name: "Allowed-IPs-set"
+          description: "List of IPs from our VPNs - Ansible managed"
           action: allow
-          priority: 1 # can be float with 1 decimal place
-          list: [] # If the list is empty, ip set won't be recreated
-            #- 1.1.1.1/32 # list of ip ranges
-            #- 2.2.2.2/32
-            #- 3.3.3.3/32
-        - rule_name: "Blocked-IPs"
-          set_name: "DDOS-list"
-          description: "List of IPs That were ddosing server"
-          action: block
-          priority: 0
-          list: [] # If the list is empty, ip set won't be recreated
-            #- 4.4.4.4/32 # list of ip ranges
-            #- 5.5.5.5/32
-            #- 6.6.6.6/32
+          priority: 1
+          list:
+            - 3.11.82.252/32 # main VPN
+            - 159.100.242.248/32 # backup VPN, bastion2
+            - 3.8.9.162/32 # guest VPN
       country_codes:
         - name: "allowed-countries"
           action: allow
@@ -44,34 +35,35 @@ aws_acl:
       regular_rules:
         - name: allow_panels
           action: allow
-          statements_type: "single" # supported "and", "or" and "not" ("and" and "or" supports multiple statements)
+          statements_type: "single" # supported "single", "and", "or" and "not" ("and" and "or" supports multiple statements)
           priority: 4
           statements:
-            - inspect: "UriPath" # Aslo supported: "SingleHeader"
+            - inspect: "UriPath" # Use: "SingleHeader" or "UriPath"
               position: "CONTAINS"
               string: "panels/ajax"
               text_trans: "NONE"
-        - name: block_bots
-          action: block
-          statements_type: "or" # supported "and", "or" and "not" ("and" and "or" supports multiple statements)
-          priority: 5
-          statements:
-            - inspect: "SingleHeader" # Aslo supported: "SingleHeader"
-              position: "CONTAINS"
-              string: "spider"
-              text_trans: "LOWERCASE"
-            - inspect: "SingleHeader" # Aslo supported: "SingleHeader"
-              position: "CONTAINS"
-              string: "bot"
-              text_trans: "LOWERCASE"
-            - inspect: "SingleHeader" # Aslo supported: "SingleHeader"
-              position: "CONTAINS"
-              string: "crawl"
-              text_trans: "LOWERCASE"
+#   Example for multi header block
+#        - name: block_bots
+#          action: block
+#          statements_type: "or" # supported "single", "and", "or" and "not" ("and" and "or" supports multiple statements)
+#          priority: 5
+#          statements:
+#            - inspect: "SingleHeader" # Use: "SingleHeader" or "UriPath"
+#              position: "CONTAINS"
+#              string: "spider"
+#              text_trans: "LOWERCASE"
+#            - inspect: "SingleHeader" # Use: "SingleHeader" or "UriPath"
+#              position: "CONTAINS"
+#              string: "bot"
+#              text_trans: "LOWERCASE"
+#            - inspect: "SingleHeader" # Use: "SingleHeader" or "UriPath"
+#              position: "CONTAINS"
+#              string: "crawl"
+#              text_trans: "LOWERCASE"
       # Managed rules list
       bot_control:
         enabled: false
-        target: "COMMON" # or set to TARGETED inspection level (comment out to avoid addign rule)
+        target: "COMMON" # "COMMON" or "TARGETED" inspection level
         priority: 3
       cyber_sec:
         enabled: false # Need to subscribe first in AWS

diff --git a/roles/aws/aws_backup_validation/tasks/main.yml b/roles/aws/aws_backup_validation/tasks/main.yml
@@ -37,8 +37,9 @@
   ansible.builtin.wait_for:
     timeout: 20
 
-- name: Get verified domain.
-  ansible.builtin.include_tasks: get_valid_email.yml
+# Not all clients have verified identity
+#- name: Get verified domain.
+#  ansible.builtin.include_tasks: get_valid_email.yml
 
 - name: Clean and set python functions
   block:

diff --git a/roles/aws/aws_backup_validation/templates/EC2_validation.py.j2 b/roles/aws/aws_backup_validation/templates/EC2_validation.py.j2
@@ -135,7 +135,8 @@ def lambda_handler(event, context):
       'Data': 'Lambda Backup validation: ' + mail_title,
     },
   },
-  Source='Lambda Backup Validation <lambda@{{ _verified_domain }}>',
+#  Source='Lambda Backup Validation <lambda@{{ _verified_domain }}>',
+  Source='Lambda Backup Validation <[email protected]>',
   )
 
   return {

diff --git a/roles/aws/aws_backup_validation/templates/RDS_validation.py.j2 b/roles/aws/aws_backup_validation/templates/RDS_validation.py.j2
@@ -113,7 +113,8 @@ def lambda_handler(event, context):
       'Data': 'Lambda Backup validation: ' + mail_title,
     },
   },
-  Source='Lambda Backup Validation <lambda@{{ _verified_domain }}>',
+#  Source='Lambda Backup Validation <lambda@{{ _verified_domain }}>',
+  Source='Lambda Backup Validation <[email protected]>',
   )
 
   print(json.dumps(event))