Complete infrastructure and integration updates

Infrastructure improvements: - Update CloudFront distribution with ACM certificate support - Enable custom domain aliases when certificate is available - Add comprehensive WAF outputs for CrowdSec integration - Update variables with current configuration defaults New files: - Add CrowdSec WAF integration documentation - Add sync script for CrowdSec to WAF automation - Add MCP configuration for development tools Configuration updates: - Align Terraform configuration with deployed state - Enable ACM certificate and Route53 DNS by default - Maintain HTTP-only origin protocol for compatibility 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-09-09 15:33:36 +09:00
parent d5440630f5
commit b87947e3e3
7 changed files with 515 additions and 10 deletions
--- a/sync-crowdsec-to-waf.sh
+++ b/sync-crowdsec-to-waf.sh
@@ -0,0 +1,90 @@
+#!/bin/bash
+
+# CrowdSec에서 차단된 IP를 AWS WAF BlockedIPsRule에 동기화하는 스크립트
+
+# 설정
+WAF_IP_SET_ID="c43ff364-f3e2-43c7-8462-8fae20599d8d"
+WAF_IP_SET_NAME="aws-cf-dev-blocked-ips"
+REGION="us-east-1"
+SCOPE="CLOUDFRONT"
+
+# CrowdSec에서 현재 차단된 IP 목록 가져오기
+get_crowdsec_banned_ips() {
+    # CrowdSec CLI를 통해 차단된 IP 목록 가져오기
+    if command -v cscli &> /dev/null; then
+        # 로컬 CrowdSec에서 차단 결정 가져오기
+        cscli decisions list -o json | jq -r '.[] | select(.type=="ban") | .value' | sort -u
+    else
+        # Incus 컨테이너 내부의 CrowdSec에 접근
+        incus exec crowdsec -- cscli decisions list -o json | jq -r '.[] | select(.type=="ban") | .value' | sort -u
+    fi
+}
+
+# AWS WAF IP Set의 현재 IP 목록 가져오기
+get_waf_current_ips() {
+    aws wafv2 get-ip-set \
+        --scope $SCOPE \
+        --id $WAF_IP_SET_ID \
+        --name $WAF_IP_SET_NAME \
+        --region $REGION \
+        --query 'IPSet.Addresses[]' \
+        --output text | tr '\t' '\n' | sed 's|/32||g' | sort -u
+}
+
+# WAF IP Set 업데이트
+update_waf_ip_set() {
+    local ip_list="$1"
+    
+    # 현재 lock token 가져오기
+    LOCK_TOKEN=$(aws wafv2 get-ip-set \
+        --scope $SCOPE \
+        --id $WAF_IP_SET_ID \
+        --name $WAF_IP_SET_NAME \
+        --region $REGION \
+        --query 'LockToken' \
+        --output text)
+    
+    # IP 주소를 CIDR 형식으로 변환 (단일 IP는 /32 추가)
+    local cidr_list=""
+    if [ -n "$ip_list" ]; then
+        cidr_list=$(echo "$ip_list" | grep -v '^$' | sed 's|$|/32|g' | paste -sd, -)
+    fi
+    
+    echo "Updating WAF IP Set with IPs: $cidr_list"
+    
+    # WAF IP Set 업데이트
+    aws wafv2 update-ip-set \
+        --scope $SCOPE \
+        --id $WAF_IP_SET_ID \
+        --name $WAF_IP_SET_NAME \
+        --addresses $cidr_list \
+        --lock-token $LOCK_TOKEN \
+        --region $REGION
+}
+
+# 메인 동기화 로직
+sync_ips() {
+    echo "$(date): Starting CrowdSec to WAF IP sync..."
+    
+    # CrowdSec에서 차단된 IP 가져오기
+    crowdsec_ips=$(get_crowdsec_banned_ips)
+    echo "CrowdSec banned IPs: $(echo "$crowdsec_ips" | wc -l) IPs"
+    
+    # 현재 WAF IP Set의 IP 가져오기  
+    waf_ips=$(get_waf_current_ips)
+    echo "Current WAF IPs: $(echo "$waf_ips" | wc -l) IPs"
+    
+    # IP 목록 비교
+    if [ "$crowdsec_ips" != "$waf_ips" ]; then
+        echo "IP lists differ, updating WAF..."
+        update_waf_ip_set "$crowdsec_ips"
+        echo "WAF IP Set updated successfully!"
+    else
+        echo "IP lists are already in sync"
+    fi
+    
+    echo "$(date): Sync completed"
+}
+
+# 실행
+sync_ips