diff --git a/terraform/environment/wildsea-dev/plan b/terraform/environment/wildsea-dev/plan index b31203bf..ca1bf49a 100644 Binary files a/terraform/environment/wildsea-dev/plan and b/terraform/environment/wildsea-dev/plan differ diff --git a/terraform/module/iac-roles/policy.tf b/terraform/module/iac-roles/policy.tf index babc7eef..79476b04 100644 --- a/terraform/module/iac-roles/policy.tf +++ b/terraform/module/iac-roles/policy.tf @@ -295,15 +295,16 @@ data "aws_iam_policy_document" "rw" { statement { actions = [ "wafv2:CreateWebACL", + "wafv2:UpdateWebACL", ] resources = [ - "arn:aws:wafv2:ap-southeast-2:021891603679:regional/managedruleset/*/*" + "arn:aws:wafv2:ap-southeast-2:021891603679:regional/managedruleset/*/*", + "arn:aws:wafv2:ap-southeast-2:021891603679:regional/webacl/*/*", ] } statement { actions = [ - "wafv2:UpdateWebACL", "wafv2:DeleteWebACL", "wafv2:ListTagsForResource", "wafv2:AssociateWebACL", @@ -522,15 +523,16 @@ data "aws_iam_policy_document" "rw_boundary" { statement { actions = [ "wafv2:CreateWebACL", + "wafv2:UpdateWebACL", ] resources = [ - "arn:aws:wafv2:ap-southeast-2:021891603679:regional/managedruleset/*/*" + "arn:aws:wafv2:ap-southeast-2:021891603679:regional/managedruleset/*/*", + "arn:aws:wafv2:ap-southeast-2:021891603679:regional/webacl/*/*", ] } statement { actions = [ - "wafv2:UpdateWebACL", "wafv2:DeleteWebACL", "wafv2:UpdatebACL", "wafv2:ListTagsForResource", diff --git a/terraform/module/wildsea/graphql.tf b/terraform/module/wildsea/graphql.tf index 26dd77ef..53167286 100644 --- a/terraform/module/wildsea/graphql.tf +++ b/terraform/module/wildsea/graphql.tf @@ -59,11 +59,16 @@ resource "aws_iam_role_policy_attachment" "grahql_log" { } resource "aws_wafv2_web_acl_association" "graphql" { + count = var.enable_waf ? 1 : 0 + resource_arn = aws_appsync_graphql_api.graphql.arn - web_acl_arn = aws_wafv2_web_acl.graphql.arn + web_acl_arn = aws_wafv2_web_acl.graphql[0].arn } resource "aws_wafv2_web_acl" "graphql" { + # checkov:skip=CKV2_AWS_31:Full logging could be too expensive + count = var.enable_waf ? 1 : 0 + name = "${var.prefix}-graphql-waf" scope = "REGIONAL" @@ -88,7 +93,7 @@ resource "aws_wafv2_web_acl" "graphql" { } visibility_config { - cloudwatch_metrics_enabled = false + cloudwatch_metrics_enabled = true metric_name = "Ratelimit" sampled_requests_enabled = false } @@ -105,14 +110,12 @@ resource "aws_wafv2_web_acl" "graphql" { } } override_action { - count { - - } + none {} } visibility_config { cloudwatch_metrics_enabled = true metric_name = "AWSManagedRulesCommonRuleSet" - sampled_requests_enabled = true + sampled_requests_enabled = false } } @@ -126,14 +129,31 @@ resource "aws_wafv2_web_acl" "graphql" { } } override_action { - count { + none {} + } + visibility_config { + cloudwatch_metrics_enabled = true + metric_name = "AWSManagedRulesAmazonIpReputationList" + sampled_requests_enabled = false + } + } + rule { + name = "AWSManagedRulesKnownBadInputsRuleSet" + priority = 40 + statement { + managed_rule_group_statement { + name = "AWSManagedRulesKnownBadInputsRuleSet" + vendor_name = "AWS" } } + override_action { + none {} + } visibility_config { cloudwatch_metrics_enabled = true - metric_name = "AWSManagedRulesAmazonIpReputationList" - sampled_requests_enabled = true + metric_name = "AWSManagedRulesKnownBadInputsRuleSet" + sampled_requests_enabled = false } } diff --git a/terraform/module/wildsea/main.tf b/terraform/module/wildsea/main.tf index 61c12747..3aadc378 100644 --- a/terraform/module/wildsea/main.tf +++ b/terraform/module/wildsea/main.tf @@ -11,3 +11,9 @@ variable "saml_metadata_url" { description = "SAML metadata URL" type = string } + +variable "enable_waf" { + description = "Enable WAF? Has codt implications" + type = bool + default = false +}