PLT-503: Add test and sandbox environments to DPC WAF plan and apply (#…

…128) ## 🎫 Ticket https://jira.cms.gov/browse/PLT-503 ## 🛠 Changes Adds test and sbx environments to the DPC WAF configuration ## ℹ️ Context These are changes made as a part of the overall WAF migration work. ## 🧪 Validation Once this is applied, we should see the Web ACL configurations show up with the placeholder IP sets. We'll need to manually update them in AWS, and then reapply once we remove the association with the security group on ingress.
CMSgov · Sep 23, 2024 · 77ab794 · 77ab794
1 parent b42d21d
commit 77ab794
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 25 deletions.
diff --git a/.github/workflows/api-waf-apply.yml b/.github/workflows/api-waf-apply.yml
@@ -23,7 +23,7 @@ jobs:
       fail-fast: false
       matrix:
         app: [dpc]
-        env: [dev]
+        env: [dev, test, sbx]
     steps:
       - uses: actions/checkout@v4
       - uses: ./actions/setup-tfenv-terraform

diff --git a/terraform/modules/firewall/main.tf b/terraform/modules/firewall/main.tf
@@ -62,36 +62,40 @@ resource "aws_wafv2_web_acl" "this" {
     }
   }
 
-  rule {
-    name     = "ip-sets"
-    priority = 2
+  dynamic "rule" {
+    for_each = length(var.ip_sets) > 0 ? [1] : []
 
-    action {
-      block {}
-    }
+    content {
+      name     = "ip-sets"
+      priority = 2
 
-    statement {
-      not_statement {
-        statement {
-          or_statement {
-            dynamic "statement" {
-              for_each = var.ip_sets
-              iterator = ip_set
-              content {
-                ip_set_reference_statement {
-                  arn = ip_set.value
+      action {
+        block {}
+      }
+
+      statement {
+        not_statement {
+          statement {
+            or_statement {
+              dynamic "statement" {
+                for_each = var.ip_sets
+                iterator = ip_set
+                content {
+                  ip_set_reference_statement {
+                    arn = ip_set.value
+                  }
                 }
               }
             }
           }
         }
       }
-    }
 
-    visibility_config {
-      cloudwatch_metrics_enabled = true
-      metric_name                = "${var.name}-ip-sets"
-      sampled_requests_enabled   = false
+      visibility_config {
+        cloudwatch_metrics_enabled = true
+        metric_name                = "${var.name}-ip-sets"
+        sampled_requests_enabled   = false
+      }
     }
   }
 

diff --git a/terraform/services/api-waf/main.tf b/terraform/services/api-waf/main.tf
@@ -17,11 +17,13 @@ data "aws_lb" "api" {
 }
 
 data "aws_wafv2_ip_set" "external_services" {
+  count = var.env == "sbx" ? 0 : 1
   name  = "external-services"
   scope = "REGIONAL"
 }
 
 resource "aws_wafv2_ip_set" "api_customers" {
+  count              = var.env == "sbx" ? 0 : 1
   name               = "${var.app}-${var.env}-api-customers"
   description        = "IP ranges for customers of this API"
   scope              = "REGIONAL"
@@ -49,8 +51,8 @@ module "aws_waf" {
   content_type = "APPLICATION_JSON"
 
   associated_resource_arn = data.aws_lb.api.arn
-  ip_sets = [
-    data.aws_wafv2_ip_set.external_services.arn,
-    aws_wafv2_ip_set.api_customers.arn,
+  ip_sets = var.env == "sbx" ? [] : [
+    one(data.aws_wafv2_ip_set.external_services).arn,
+    one(aws_wafv2_ip_set.api_customers).arn,
   ]
 }