From 77ab79452544fe5071c16a4a7de252c736c165a0 Mon Sep 17 00:00:00 2001 From: gfreeman-navapbc <129095098+gfreeman-navapbc@users.noreply.github.com> Date: Mon, 23 Sep 2024 09:30:31 -0700 Subject: [PATCH] PLT-503: Add test and sandbox environments to DPC WAF plan and apply (#128) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## 🎫 Ticket https://jira.cms.gov/browse/PLT-503 ## 🛠 Changes Adds test and sbx environments to the DPC WAF configuration ## ℹ️ Context These are changes made as a part of the overall WAF migration work. ## 🧪 Validation Once this is applied, we should see the Web ACL configurations show up with the placeholder IP sets. We'll need to manually update them in AWS, and then reapply once we remove the association with the security group on ingress. --- .github/workflows/api-waf-apply.yml | 2 +- terraform/modules/firewall/main.tf | 46 ++++++++++++++++------------- terraform/services/api-waf/main.tf | 8 +++-- 3 files changed, 31 insertions(+), 25 deletions(-) diff --git a/.github/workflows/api-waf-apply.yml b/.github/workflows/api-waf-apply.yml index 93479764..0690ff40 100644 --- a/.github/workflows/api-waf-apply.yml +++ b/.github/workflows/api-waf-apply.yml @@ -23,7 +23,7 @@ jobs: fail-fast: false matrix: app: [dpc] - env: [dev] + env: [dev, test, sbx] steps: - uses: actions/checkout@v4 - uses: ./actions/setup-tfenv-terraform diff --git a/terraform/modules/firewall/main.tf b/terraform/modules/firewall/main.tf index 51f0f1d6..a182ad3e 100644 --- a/terraform/modules/firewall/main.tf +++ b/terraform/modules/firewall/main.tf @@ -62,36 +62,40 @@ resource "aws_wafv2_web_acl" "this" { } } - rule { - name = "ip-sets" - priority = 2 + dynamic "rule" { + for_each = length(var.ip_sets) > 0 ? [1] : [] - action { - block {} - } + content { + name = "ip-sets" + priority = 2 - statement { - not_statement { - statement { - or_statement { - dynamic "statement" { - for_each = var.ip_sets - iterator = ip_set - content { - ip_set_reference_statement { - arn = ip_set.value + action { + block {} + } + + statement { + not_statement { + statement { + or_statement { + dynamic "statement" { + for_each = var.ip_sets + iterator = ip_set + content { + ip_set_reference_statement { + arn = ip_set.value + } } } } } } } - } - visibility_config { - cloudwatch_metrics_enabled = true - metric_name = "${var.name}-ip-sets" - sampled_requests_enabled = false + visibility_config { + cloudwatch_metrics_enabled = true + metric_name = "${var.name}-ip-sets" + sampled_requests_enabled = false + } } } diff --git a/terraform/services/api-waf/main.tf b/terraform/services/api-waf/main.tf index d160c94f..ad77de3a 100644 --- a/terraform/services/api-waf/main.tf +++ b/terraform/services/api-waf/main.tf @@ -17,11 +17,13 @@ data "aws_lb" "api" { } data "aws_wafv2_ip_set" "external_services" { + count = var.env == "sbx" ? 0 : 1 name = "external-services" scope = "REGIONAL" } resource "aws_wafv2_ip_set" "api_customers" { + count = var.env == "sbx" ? 0 : 1 name = "${var.app}-${var.env}-api-customers" description = "IP ranges for customers of this API" scope = "REGIONAL" @@ -49,8 +51,8 @@ module "aws_waf" { content_type = "APPLICATION_JSON" associated_resource_arn = data.aws_lb.api.arn - ip_sets = [ - data.aws_wafv2_ip_set.external_services.arn, - aws_wafv2_ip_set.api_customers.arn, + ip_sets = var.env == "sbx" ? [] : [ + one(data.aws_wafv2_ip_set.external_services).arn, + one(aws_wafv2_ip_set.api_customers).arn, ] }