aws-samples
diff --git a/‎README.md‎
Lines changed: 60 additions & 7 deletions b/‎README.md‎
Lines changed: 60 additions & 7 deletions
diff --git a/‎templates/instance.template‎
Lines changed: 168 additions & 0 deletions b/‎templates/instance.template‎
Lines changed: 168 additions & 0 deletions
diff --git a/‎templates/main.template‎
Lines changed: 121 additions & 0 deletions b/‎templates/main.template‎
Lines changed: 121 additions & 0 deletions
@@ -1,13 +1,66 @@
-## My Project
+# AWS WAF workshop
 
-TODO: Fill this README out!
+> Warning: This project is currently being developed and the code shouldn't be used in production.
 
-Be sure to:
+### usage 
 
-* Change the title in this README
-* Edit your repository description on GitHub
+- create a VPC, add two public subnets in two separate AZs
+- point an ALB at an AutoScaling Group
+- allow http:80 access
+- instantiate EC2s with a running webserver
 
-## License
 
-This library is licensed under the MIT-0 License. See the LICENSE file.
+#### deploy
+
+`aws s3 mb s3://$BUCKETNAME`
+> bucket must be created in same region as deployment
+
+`aws cloudformation  package  --template-file main.template   --s3-bucket $BUCKETNAME   --s3-prefix stacks   --output-template-file rootstack  --force-upload`
+
+`aws cloudformation deploy --template-file rootstack --stack-name WAFDEMO  --capabilities CAPABILITY_IAM CAPABILITY_NAMED_IAM CAPABILITY_AUTO_EXPAND && aws cloudformation list-exports --query 'Exports[].{Name: Name, Value: Value}'`
+
+`aws cloudformation delete-stack --stack-name WAFDEMO && rm rootstack.json`
+
+
+#### TODO  
+- convert config to inst and add cfn-sig?
+- cloudwatch dashboards
+- use fargate?
+
+
+#### userdata to spin up sample web servers on **port 80**
+
+*httpserver on python2.7:* no special installs  nor updates required, so quick to spin up
+
+```
+#!/bin/bash
+echo "<h1>Hello AWS WAF Security Automations</h1>" > index.html
+python -m SimpleHTTPServer 80 .
+```
+
+*default example:* provided by US builders for waf demo
+```
+#!/bin/bash
+sudo yum update -y
+sudo yum install -y httpd
+sudo systemctl enable httpd
+sudo touch /var/www/html/index.html
+sudo chmod 666 /var/www/html/index.html
+echo "<h1>Hello AWS WAF Security Automations</h1>" > /var/www/html/index.html
+sudo systemctl restart httpd
+```
+
+*juiceshop:* full fledged vulnerable site
+
+```
+#!/bin/bash
+yum update -y
+yum install -y httpd-tools
+yum install -y docker
+service docker start
+docker pull bkimminich/juice-shop\ndocker run -d -p 80:3000 bkimminich/juice-shop
+```
+
+## License
 
+This library is licensed under the MIT-0 License. See the LICENSE file.
@@ -0,0 +1,168 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: set up a launch configuration and attach to ASG
+Metadata: {}
+Parameters:
+  TheAmi:
+    Type: String
+  WebSecurityGroup:
+    Type: String
+  ALBSecurityGroup:
+    Type: String
+  TheVpcId:
+    Type: String
+  TheSubnetId:
+    Type: String
+  TheOtherSubnetId:
+    Type: String
+  TheWebPort:
+    Type: Number
+Mappings: {}
+Conditions: {}
+Resources:
+  TheRolePolicies:
+    Type: AWS::IAM::Policy
+    Properties:
+      PolicyName: TheSystemManagerPolicy
+      PolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: Allow
+            Action:
+              - ssmmessages:CreateControlChannel
+              - ssmmessages:CreateDataChannel
+              - ssmmessages:OpenControlChannel
+              - ssmmessages:OpenDataChannel
+              - ssm:UpdateInstanceInformation
+            Resource: '*'
+          - Effect: Allow
+            Action:
+              - s3:GetEncryptionConfiguration
+            Resource: '*'
+      Roles:
+        - !Ref 'TheRole'
+  TheRole:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service:
+                - ec2.amazonaws.com
+            Action:
+              - sts:AssumeRole
+      Path: /
+      ManagedPolicyArns:
+        - arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM
+  TheInstanceProfile:
+    DependsOn:
+      - TheRole
+    Type: AWS::IAM::InstanceProfile
+    Properties:
+      Path: /
+      Roles:
+        - !Ref 'TheRole'
+  TheLoadBalancer:
+    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
+    Properties:
+      Name: ApplicationLoadBalancer
+      Scheme: internet-facing
+      SecurityGroups:
+        - !Ref 'ALBSecurityGroup'
+      Subnets:
+        - !Ref 'TheSubnetId'
+        - !Ref 'TheOtherSubnetId'
+      Tags:
+        - Key: Name
+          Value: !Sub '${AWS::StackName}-ALB'
+      Type: application
+  TheListener:
+    DependsOn:
+      - TheTargetGroup
+      - TheLoadBalancer
+    Type: AWS::ElasticLoadBalancingV2::Listener
+    Properties:
+      DefaultActions:
+        - TargetGroupArn: !Ref 'TheTargetGroup'
+          Type: forward
+      LoadBalancerArn: !Ref 'TheLoadBalancer'
+      Port: !Ref 'TheWebPort'
+      Protocol: HTTP
+  TheRule:
+    DependsOn:
+      - TheListener
+    Type: AWS::ElasticLoadBalancingV2::ListenerRule
+    Properties:
+      Actions:
+        - TargetGroupArn: !Ref 'TheTargetGroup'
+          Type: forward
+      Conditions:
+        - Field: path-pattern
+          Values:
+            - /
+      ListenerArn: !Ref 'TheListener'
+      Priority: '1'
+  TheTargetGroup:
+    Type: AWS::ElasticLoadBalancingV2::TargetGroup
+    Properties:
+      Name: WafDemoTargetGroup
+      Port: !Ref 'TheWebPort'
+      Protocol: HTTP
+      VpcId: !Ref 'TheVpcId'
+      Tags:
+        - Key: Name
+          Value: !Sub '${AWS::StackName}-TargetGroup'
+      HealthCheckEnabled: true
+      HealthyThresholdCount: 3
+      HealthCheckIntervalSeconds: 10
+      UnhealthyThresholdCount: 10
+      HealthCheckPath: /
+      HealthCheckPort: !Ref 'TheWebPort'
+      HealthCheckProtocol: HTTP
+      HealthCheckTimeoutSeconds: 5
+      Matcher:
+        HttpCode: 200-299
+      TargetType: instance
+      Targets: []
+  TheAutoScalingGroup:
+    Type: AWS::AutoScaling::AutoScalingGroup
+    Properties:
+      TargetGroupARNs:
+        - !Ref 'TheTargetGroup'
+      VPCZoneIdentifier:
+        - !Ref 'TheSubnetId'
+        - !Ref 'TheOtherSubnetId'
+      AvailabilityZones:
+        - !Select
+          - 0
+          - !GetAZs
+            Ref: AWS::Region
+        - !Select
+          - 1
+          - !GetAZs
+            Ref: AWS::Region
+      LaunchConfigurationName: !Ref 'TheLaunchConfig'
+      DesiredCapacity: '2'
+      MinSize: '1'
+      MaxSize: '3'
+  TheLaunchConfig:
+    DependsOn:
+      - TheInstanceProfile
+    Type: AWS::AutoScaling::LaunchConfiguration
+    Properties:
+      IamInstanceProfile: !Ref 'TheInstanceProfile'
+      ImageId: !Ref 'TheAmi'
+      InstanceType: t2.micro
+      AssociatePublicIpAddress: true
+      SecurityGroups:
+        - !Ref 'WebSecurityGroup'
+      UserData: !Base64
+        Fn::Sub: "#!/bin/bash\nsudo yum update -y\nsudo yum install -y httpd-tools\n\
+          sudo yum install -y docker\nservice docker start\ndocker pull bkimminich/juice-shop\n\
+          docker run -d -p ${TheWebPort}:3000 bkimminich/juice-shop"
+Outputs:
+  TheSiteUrl:
+    Description: public url of the application
+    Value: !Sub 'http://${TheLoadBalancer.DNSName}:${TheWebPort}/'
+    Export:
+      Name: site-url
@@ -0,0 +1,121 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: create all non-WAF resources for the Summit WAF session
+Metadata:
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+      - Label:
+          Default: 'Setup: leave as defaults unless  you know what you''re doing'
+        Parameters:
+          - TheAmi
+          - TheVpcRange
+          - TheSubnetRange
+          - TheOtherSubnetRange
+          - ThePublicIp
+          - TheWebPort
+    ParameterLabels:
+      TheAmi:
+        Description: must be a linux2 ami
+      TheVpcRange:
+        Description: vpc cidr block
+      TheSubnetRange:
+        Description: subnet cidr block
+      TheOtherSubnetRange:
+        Description: another subnet cidr block
+      TheWebPort:
+        Description: port application is listening at
+      ThePublicIp:
+        Description: public ip to whitelist, your public ip nomrally
+Parameters:
+  TheAmi:
+    Type: AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>
+    Default: /aws/service/ami-amazon-linux-latest/amzn-ami-hvm-x86_64-gp2
+  ThePublicIp:
+    Description: public ip to whitelist
+    Type: String
+    Default: '0.0.0.0/0'
+  TheVpcRange:
+    Description: vpc CIDR range
+    Default: 10.0.3.0/26
+    Type: String
+  TheSubnetRange:
+    Description: subnet CIDR
+    Default: 10.0.3.16/28
+    Type: String
+  TheOtherSubnetRange:
+    Description: subnet CIDR
+    Default: 10.0.3.32/28
+    Type: String
+  TheSubnetId:
+    Description: for load balancer
+    Type: String
+    Default: ''
+  TheVpcId:
+    Description: for load balancer
+    Type: String
+    Default: ''
+  TheOtherSubnetId:
+    Description: for load balancer
+    Default: ''
+    Type: String
+  WebSecurityGroup:
+    Description: output from security template
+    Type: String
+    Default: ''
+  ALBSecurityGroup:
+    Description: output from security template
+    Type: String
+    Default: ''
+  TheWebPort:
+    Description: port application is listening at
+    Default: 80
+    Type: Number
+Mappings: {}
+Conditions: {}
+Resources:
+  TheNeworkStack:
+    Type: AWS::CloudFormation::Stack
+    Properties:
+      Parameters:
+        TheVpcRange: !Ref 'TheVpcRange'
+        TheSubnetRange: !Ref 'TheSubnetRange'
+        TheOtherSubnetRange: !Ref 'TheOtherSubnetRange'
+        ThePublicIp: !Ref 'ThePublicIp'
+      Tags:
+        - Key: Name
+          Value: !Sub '${AWS::StackName}-VPC'
+      TemplateURL: ./network.template
+      TimeoutInMinutes: 20
+  TheSecurityStack:
+    DependsOn:
+      - TheNeworkStack
+    Type: AWS::CloudFormation::Stack
+    Properties:
+      Parameters:
+        ThePublicIp: !Ref 'ThePublicIp'
+        TheWebPort: !Ref 'TheWebPort'
+        TheVpcId: !GetAtt 'TheNeworkStack.Outputs.VpcId'
+      Tags:
+        - Key: Name
+          Value: !Sub '${AWS::StackName}-SecurityGroup'
+      TemplateURL: ./security.template
+      TimeoutInMinutes: 20
+  TheInstanceStack:
+    DependsOn:
+      - TheSecurityStack
+      - TheNeworkStack
+    Type: AWS::CloudFormation::Stack
+    Properties:
+      Parameters:
+        TheAmi: !Ref 'TheAmi'
+        WebSecurityGroup: !GetAtt 'TheSecurityStack.Outputs.WebSecurityGroup'
+        TheWebPort: !Ref 'TheWebPort'
+        ALBSecurityGroup: !GetAtt 'TheSecurityStack.Outputs.ALBSecurityGroup'
+        TheSubnetId: !GetAtt 'TheNeworkStack.Outputs.SubnetId'
+        TheVpcId: !GetAtt 'TheNeworkStack.Outputs.VpcId'
+        TheOtherSubnetId: !GetAtt 'TheNeworkStack.Outputs.OtherSubnetId'
+      Tags:
+        - Key: Name
+          Value: !Sub '${AWS::StackName}-ASG'
+      TemplateURL: ./instance.template
+      TimeoutInMinutes: 30
+Outputs: {}