fix: block POST requests to add comments

Staging: load-balancer

✅ Terraform Init: success ✅ Terraform Validate: success ✅ Terraform Format: success ✅ Terraform Plan: success ✅ Conftest: success

Plan: 0 to add, 2 to change, 0 to destroy

Show summary

| CHANGE | NAME | |--------|-----------------------------------| | update | `aws_s3_bucket.cloudfront_logs` | | | `aws_wafv2_web_acl.wordpress_waf` |

Show plan

```terraform Resource actions are indicated with the following symbols: ~ update in-place Terraform will perform the following actions: # aws_s3_bucket.cloudfront_logs will be updated in-place ~ resource "aws_s3_bucket" "cloudfront_logs" { id = "wordpress-fargate-staging-cloudfront-logs" tags = {} # (14 unchanged attributes hidden) ~ lifecycle_rule { id = "tf-s3-lifecycle-20210927173855550600000003" tags = {} # (3 unchanged attributes hidden) ~ expiration { ~ expired_object_delete_marker = false -> true # (2 unchanged attributes hidden) } # (1 unchanged block hidden) } # (3 unchanged blocks hidden) } # aws_wafv2_web_acl.wordpress_waf will be updated in-place ~ resource "aws_wafv2_web_acl" "wordpress_waf" { id = "d578506d-443d-45bc-afe7-182599e8d052" name = "wordpress_waf" tags = { "CostCentre" = "PlatformGCArticles" } # (9 unchanged attributes hidden) - rule { - name = "WordpressRateLimit" -> null - priority = 101 -> null - action { - block { - custom_response { - response_code = 429 -> null # (1 unchanged attribute hidden) - response_header { - name = "waf-block" -> null - value = "RateLimit" -> null } } } } - statement { - rate_based_statement { - aggregate_key_type = "IP" -> null - evaluation_window_sec = 300 -> null - limit = 2000 -> null } } - visibility_config { - cloudwatch_metrics_enabled = true -> null - metric_name = "WordpressRateLimit" -> null - sampled_requests_enabled = true -> null } } - rule { - name = "AWSManagedRulesAmazonIpReputationList" -> null - priority = 10 -> null - override_action { - none {} } - statement { - managed_rule_group_statement { - name = "AWSManagedRulesAmazonIpReputationList" -> null - vendor_name = "AWS" -> null # (1 unchanged attribute hidden) } } - visibility_config { - cloudwatch_metrics_enabled = true -> null - metric_name = "AWSManagedRulesAmazonIpReputationList" -> null - sampled_requests_enabled = true -> null } } - rule { - name = "AWSManagedRulesKnownBadInputsRuleSet" -> null - priority = 2 -> null - override_action { - none {} } - statement { - managed_rule_group_statement { - name = "AWSManagedRulesKnownBadInputsRuleSet" -> null - vendor_name = "AWS" -> null # (1 unchanged attribute hidden) } } - visibility_config { - cloudwatch_metrics_enabled = true -> null - metric_name = "AWSManagedRulesKnownBadInputsRuleSet" -> null - sampled_requests_enabled = true -> null } } - rule { - name = "AWSManagedRulesPHPRuleSet" -> null - priority = 8 -> null - override_action { - none {} } - statement { - managed_rule_group_statement { - name = "AWSManagedRulesPHPRuleSet" -> null - vendor_name = "AWS" -> null # (1 unchanged attribute hidden) } } - visibility_config { - cloudwatch_metrics_enabled = true -> null - metric_name = "AWSManagedRulesPHPRuleSet" -> null - sampled_requests_enabled = true -> null } } - rule { - name = "AWSManagedRulesWordPressRuleSet" -> null - priority = 9 -> null - override_action { - none {} } - statement { - managed_rule_group_statement { - name = "AWSManagedRulesWordPressRuleSet" -> null - vendor_name = "AWS" -> null # (1 unchanged attribute hidden) } } - visibility_config { - cloudwatch_metrics_enabled = true -> null - metric_name = "AWSManagedRulesWordPressRuleSet" -> null - sampled_requests_enabled = true -> null } } + rule { + name = "WordpressRateLimit" + priority = 101 + action { + block { + custom_response { + response_code = 429 + response_header { + name = "waf-block" + value = "RateLimit" } } } } + statement { + rate_based_statement { + aggregate_key_type = "IP" + evaluation_window_sec = 300 + limit = 2000 } } + visibility_config { + cloudwatch_metrics_enabled = true + metric_name = "WordpressRateLimit" + sampled_requests_enabled = true } } + rule { + name = "BlockComments" + priority = 13 + action { + block { } } + statement { + and_statement { + statement { + byte_match_statement { + positional_constraint = "CONTAINS" + search_string = "wp-comments-post.php" + field_to_match { + uri_path {} } + text_transformation { + priority = 0 + type = "LOWERCASE" } } } + statement { + byte_match_statement { + positional_constraint = "EXACTLY" + search_string = "post" + field_to_match { + method {} } + text_transformation { + priority = 0 + type = "LOWERCASE" } } } } } + visibility_config { + cloudwatch_metrics_enabled = true + metric_name = "BlockComments" + sampled_requests_enabled = true } } + rule { + name = "AWSManagedRulesAmazonIpReputationList" + priority = 10 + override_action { + none {} } + statement { + managed_rule_group_statement { + name = "AWSManagedRulesAmazonIpReputationList" + vendor_name = "AWS" } } + visibility_config { + cloudwatch_metrics_enabled = true + metric_name = "AWSManagedRulesAmazonIpReputationList" + sampled_requests_enabled = true } } + rule { + name = "AWSManagedRulesKnownBadInputsRuleSet" + priority = 2 + override_action { + none {} } + statement { + managed_rule_group_statement { + name = "AWSManagedRulesKnownBadInputsRuleSet" + vendor_name = "AWS" } } + visibility_config { + cloudwatch_metrics_enabled = true + metric_name = "AWSManagedRulesKnownBadInputsRuleSet" + sampled_requests_enabled = true } } + rule { + name = "AWSManagedRulesPHPRuleSet" + priority = 8 + override_action { + none {} } + statement { + managed_rule_group_statement { + name = "AWSManagedRulesPHPRuleSet" + vendor_name = "AWS" } } + visibility_config { + cloudwatch_metrics_enabled = true + metric_name = "AWSManagedRulesPHPRuleSet" + sampled_requests_enabled = true } } + rule { + name = "AWSManagedRulesWordPressRuleSet" + priority = 9 + override_action { + none {} } + statement { + managed_rule_group_statement { + name = "AWSManagedRulesWordPressRuleSet" + vendor_name = "AWS" } } + visibility_config { + cloudwatch_metrics_enabled = true + metric_name = "AWSManagedRulesWordPressRuleSet" + sampled_requests_enabled = true } } # (10 unchanged blocks hidden) } Plan: 0 to add, 2 to change, 0 to destroy. Warning: Argument is deprecated with aws_s3_bucket.cloudfront_logs, on s3.tf line 4, in resource "aws_s3_bucket" "cloudfront_logs": 4: resource "aws_s3_bucket" "cloudfront_logs" { Use the aws_s3_bucket_acl resource instead (and 5 more similar warnings elsewhere) ───────────────────────────────────────────────────────────────────────────── Saved the plan to: plan.tfplan To perform exactly these actions, run the following command to apply: terraform apply "plan.tfplan" ```

Show Conftest results

```sh WARN - plan.json - main - Missing Common Tags: ["aws_acm_certificate.wordpress"] WARN - plan.json - main - Missing Common Tags: ["aws_acm_certificate.wordpress_cloudfront"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudfront_distribution.wordpress"] WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.cache_buster"] WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.firehose_waf_logs"] WARN - plan.json - main - Missing Common Tags: ["aws_iam_role.firehose_waf_logs"] WARN - plan.json - main - Missing Common Tags: ["aws_iam_user.cache_buster"] WARN - plan.json - main - Missing Common Tags: ["aws_lb.wordpress"] WARN - plan.json - main - Missing Common Tags: ["aws_lb_listener.wordpress"] WARN - plan.json - main - Missing Common Tags: ["aws_lb_target_group.wordpress"] WARN - plan.json - main - Missing Common Tags: ["aws_s3_bucket.cloudfront_logs"] WARN - plan.json - main - Missing Common Tags: ["aws_wafv2_web_acl.wordpress_waf"] WARN - plan.json - main - Missing Common Tags: ["aws_wafv2_web_acl.wordpress_waf_alb"] 32 tests, 19 passed, 13 warnings, 0 failures, 0 exceptions ```

cds-snc / gc-articles

fix: block POST requests to add comments #1920

Summary

Related

Staging: load-balancer