fix: Remove rate limiting WAF on api domain url

[bryan-robitaille]

Summary | Résumé

Removes the blanket and POST rate limiting on the API Server URL that is co-hosted with the GCForms app in ECS and share the same Load Balancer and WAF Rules.

The API remains protected through it's own implementation of Token Bucket Rate Limiting.

[github-actions[bot]]

⚠ Terrform update available

Terraform: 1.9.8 (using 1.9.2)
Terragrunt: 0.68.12 (using 0.63.2)

[github-actions[bot]]

Staging: load_balancer

✅   Terraform Init: success ✅   Terraform Validate: success ✅   Terraform Format: success ✅   Terraform Plan: success ✅   Conftest: success

Plan: 0 to add, 1 to change, 0 to destroy

Show summary

| CHANGE | NAME | |--------|--------------------------------------------| | update | `aws_wafv2_rule_group.rate_limiters_group` |

Show plan

```terraform Resource actions are indicated with the following symbols: ~ update in-place Terraform will perform the following actions: # aws_wafv2_rule_group.rate_limiters_group will be updated in-place ~ resource "aws_wafv2_rule_group" "rate_limiters_group" { id = "51f888d4-a82d-4c56-8031-0da78ea6df8c" name = "RateLimitersGroup" tags = {} # (7 unchanged attributes hidden) - rule { - name = "BlanketRequestLimit" -> null - priority = 1 -> null - action { - block { } } - statement { - rate_based_statement { - aggregate_key_type = "IP" -> null - evaluation_window_sec = 300 -> null - limit = 2500 -> null } } - visibility_config { - cloudwatch_metrics_enabled = true -> null - metric_name = "BlanketRequestLimit" -> null - sampled_requests_enabled = true -> null } } - rule { - name = "PostRequestLimit" -> null - priority = 2 -> null - action { - block { } } - statement { - rate_based_statement { - aggregate_key_type = "IP" -> null - evaluation_window_sec = 300 -> null - limit = 100 -> null - scope_down_statement { - byte_match_statement { - positional_constraint = "EXACTLY" -> null - search_string = "post" -> null - field_to_match { - method {} } - text_transformation { - priority = 1 -> null - type = "LOWERCASE" -> null } } } } } - visibility_config { - cloudwatch_metrics_enabled = true -> null - metric_name = "PostRequestRateLimit" -> null - sampled_requests_enabled = true -> null } } + rule { + name = "BlanketRequestLimit" + priority = 1 + action { + block { } } + statement { + rate_based_statement { + aggregate_key_type = "IP" + evaluation_window_sec = 300 + limit = 2500 + scope_down_statement { + not_statement { + statement { + byte_match_statement { + positional_constraint = "EXACTLY" + search_string = "api.forms-staging.cdssandbox.xyz" + field_to_match { + single_header { + name = "host" } } + text_transformation { + priority = 1 + type = "LOWERCASE" } } } } } } } + visibility_config { + cloudwatch_metrics_enabled = true + metric_name = "BlanketRequestLimit" + sampled_requests_enabled = true } } + rule { + name = "PostRequestLimit" + priority = 2 + action { + block { } } + statement { + rate_based_statement { + aggregate_key_type = "IP" + evaluation_window_sec = 300 + limit = 100 + scope_down_statement { + and_statement { + statement { + not_statement { + statement { + byte_match_statement { + positional_constraint = "EXACTLY" + search_string = "api.forms-staging.cdssandbox.xyz" + field_to_match { + single_header { + name = "host" } } + text_transformation { + priority = 1 + type = "LOWERCASE" } } } } } + statement { + byte_match_statement { + positional_constraint = "EXACTLY" + search_string = "post" + field_to_match { + method {} } + text_transformation { + priority = 1 + type = "LOWERCASE" } } } } } } } + visibility_config { + cloudwatch_metrics_enabled = true + metric_name = "PostRequestRateLimit" + sampled_requests_enabled = true } } # (1 unchanged block hidden) } Plan: 0 to add, 1 to change, 0 to destroy. ───────────────────────────────────────────────────────────────────────────── Saved the plan to: plan.tfplan To perform exactly these actions, run the following command to apply: terraform apply "plan.tfplan" ```

Show Conftest results

```sh WARN - plan.json - main - Missing Common Tags: ["aws_acm_certificate.form_viewer"] WARN - plan.json - main - Missing Common Tags: ["aws_acm_certificate.form_viewer_maintenance_mode"] WARN - plan.json - main - Missing Common Tags: ["aws_acm_certificate.forms_api"] WARN - plan.json - main - Missing Common Tags: ["aws_alb_listener_rule.forms_api"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudfront_distribution.maintenance_mode"] WARN - plan.json - main - Missing Common Tags: ["aws_iam_role.firehose_waf_logs"] WARN - plan.json - main - Missing Common Tags: ["aws_kinesis_firehose_delivery_stream.firehose_waf_logs"] WARN - plan.json - main - Missing Common Tags: ["aws_lb.form_viewer"] WARN - plan.json - main - Missing Common Tags: ["aws_lb_listener.form_viewer_http"] WARN - plan.json - main - Missing Common Tags: ["aws_lb_listener.form_viewer_https"] WARN - plan.json - main - Missing Common Tags: ["aws_lb_target_group.form_viewer_1"] WARN - plan.json - main - Missing Common Tags: ["aws_lb_target_group.form_viewer_2"] WARN - plan.json - main - Missing Common Tags: ["aws_lb_target_group.forms_api"] WARN - plan.json - main - Missing Common Tags: ["aws_s3_bucket.maintenance_mode"] WARN - plan.json - main - Missing Common Tags: ["aws_s3_object.maintenance_static_page_css_files[\"style.css\"]"] WARN - plan.json - main - Missing Common Tags: ["aws_s3_object.maintenance_static_page_html_files[\"index-fr.html\"]"] WARN - plan.json - main - Missing Common Tags: ["aws_s3_object.maintenance_static_page_html_files[\"index.html\"]"] WARN - plan.json - main - Missing Common Tags: ["aws_s3_object.maintenance_static_page_ico_files[\"favicon.ico\"]"] WARN - plan.json - main - Missing Common Tags: ["aws_s3_object.maintenance_static_page_svg_files[\"site-unavailable.svg\"]"] WARN - plan.json - main - Missing Common Tags: ["aws_shield_protection.alb"] WARN - plan.json - main - Missing Common Tags: ["aws_shield_protection.route53_hosted_zone[0]"] WARN - plan.json - main - Missing... ```