Set custom CDN waf rules (#101)

* this will be used for specific cases where we want requests to bypass the rate limit policy
DFE-Digital · Jul 24, 2024 · 1b1172d · 1b1172d
1 parent 5aac0de
commit 1b1172d
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 3 deletions.
diff --git a/terraform/README.md b/terraform/README.md
@@ -173,6 +173,7 @@ If everything looks good, answer `yes` and wait for the new infrastructure to be
 | <a name="input_cdn_frontdoor_host_add_response_headers"></a> [cdn\_frontdoor\_host\_add\_response\_headers](#input\_cdn\_frontdoor\_host\_add\_response\_headers) | List of response headers to add at the CDN Front Door `[{ "name" = "Strict-Transport-Security", "value" = "max-age=31536000" }]` | `list(map(string))` | n/a | yes |
 | <a name="input_cdn_frontdoor_origin_fqdn_override"></a> [cdn\_frontdoor\_origin\_fqdn\_override](#input\_cdn\_frontdoor\_origin\_fqdn\_override) | Manually specify the hostname that the CDN Front Door should target. Defaults to the Container App FQDN | `string` | `""` | no |
 | <a name="input_cdn_frontdoor_origin_host_header_override"></a> [cdn\_frontdoor\_origin\_host\_header\_override](#input\_cdn\_frontdoor\_origin\_host\_header\_override) | Manually specify the host header that the CDN sends to the target. Defaults to the recieved host header. Set to null to set it to the host\_name (`cdn_frontdoor_origin_fqdn_override`) | `string` | `""` | no |
+| <a name="input_cdn_frontdoor_waf_custom_rules"></a> [cdn\_frontdoor\_waf\_custom\_rules](#input\_cdn\_frontdoor\_waf\_custom\_rules) | Map of all Custom rules you want to apply to the CDN WAF | <pre>map(object({<br>    priority : number,<br>    action : string<br>    match_conditions : map(object({<br>      match_variable : string,<br>      match_values : optional(list(string), []),<br>      operator : optional(string, "Any"),<br>      selector : optional(string, null),<br>      negation_condition : optional(bool, false),<br>    }))<br>  }))</pre> | `{}` | no |
 | <a name="input_container_apps_allow_ips_inbound"></a> [container\_apps\_allow\_ips\_inbound](#input\_container\_apps\_allow\_ips\_inbound) | Restricts access to the Container Apps by creating a network security group rule that only allow inbound traffic from the provided list of IPs | `list(string)` | `[]` | no |
 | <a name="input_container_command"></a> [container\_command](#input\_container\_command) | Container command | `list(any)` | n/a | yes |
 | <a name="input_container_health_probe_path"></a> [container\_health\_probe\_path](#input\_container\_health\_probe\_path) | Specifies the path that is used to determine the liveness of the Container | `string` | `"/"` | no |

diff --git a/terraform/container-apps-hosting.tf b/terraform/container-apps-hosting.tf
@@ -30,6 +30,7 @@ module "azure_container_apps_hosting" {
   enable_cdn_frontdoor                      = local.enable_cdn_frontdoor
   cdn_frontdoor_forwarding_protocol         = local.cdn_frontdoor_forwarding_protocol
   cdn_frontdoor_enable_rate_limiting        = local.cdn_frontdoor_enable_rate_limiting
+  cdn_frontdoor_waf_custom_rules            = local.cdn_frontdoor_waf_custom_rules
   cdn_frontdoor_host_add_response_headers   = local.cdn_frontdoor_host_add_response_headers
   cdn_frontdoor_custom_domains              = local.cdn_frontdoor_custom_domains
   cdn_frontdoor_origin_fqdn_override        = local.cdn_frontdoor_origin_fqdn_override

diff --git a/terraform/locals.tf b/terraform/locals.tf
@@ -45,7 +45,7 @@ locals {
   statuscake_contact_group_name                = var.statuscake_contact_group_name
   statuscake_contact_group_integrations        = var.statuscake_contact_group_integrations
   statuscake_contact_group_email_addresses     = var.statuscake_contact_group_email_addresses
-
-  resource_prefix                 = "${local.environment}${local.project_name}"
-  private_endpoint_configurations = var.private_endpoint_configurations
+  cdn_frontdoor_waf_custom_rules               = var.cdn_frontdoor_waf_custom_rules
+  resource_prefix                              = "${local.environment}${local.project_name}"
+  private_endpoint_configurations              = var.private_endpoint_configurations
 }
diff --git a/terraform/variables.tf b/terraform/variables.tf
@@ -334,3 +334,19 @@ variable "private_endpoint_configurations" {
   }))
   default = {}
 }
+
+variable "cdn_frontdoor_waf_custom_rules" {
+  description = "Map of all Custom rules you want to apply to the CDN WAF"
+  type = map(object({
+    priority : number,
+    action : string
+    match_conditions : map(object({
+      match_variable : string,
+      match_values : optional(list(string), []),
+      operator : optional(string, "Any"),
+      selector : optional(string, null),
+      negation_condition : optional(bool, false),
+    }))
+  }))
+  default = {}
+}