search

cds-snc / gc-articles

This repo is for GC Articles web publishing product undertaken by CDS platform August 2021
GNU General Public License v2.0
7 stars 3 forks source link

Infrastructure release: 1.5.4 #1923

Closed patheard closed 3 weeks ago

patheard commented 3 weeks ago

Summary

Update WAF rule priority to avoid conflicts with AWS Shield Advanced rules.

Related

github-actions[bot] commented 3 weeks ago

Production: load-balancer

✅   Terraform Init: success ✅   Terraform Validate: success ✅   Terraform Format: success ✅   Terraform Plan: success ✅   Conftest: success 

Plan: 0 to add, 2 to change, 0 to destroy
Show summary | CHANGE | NAME | |--------|-----------------------------------| | update | `aws_s3_bucket.cloudfront_logs` | | | `aws_wafv2_web_acl.wordpress_waf` |
Show plan ```terraform Resource actions are indicated with the following symbols: ~ update in-place Terraform will perform the following actions: # aws_s3_bucket.cloudfront_logs will be updated in-place ~ resource "aws_s3_bucket" "cloudfront_logs" { id = "wordpress-fargate-production-cloudfront-logs" tags = {} # (14 unchanged attributes hidden) ~ lifecycle_rule { id = "tf-s3-lifecycle-20211214191202112600000003" tags = {} # (3 unchanged attributes hidden) ~ expiration { ~ expired_object_delete_marker = false -> true # (2 unchanged attributes hidden) } # (1 unchanged block hidden) } # (3 unchanged blocks hidden) } # aws_wafv2_web_acl.wordpress_waf will be updated in-place ~ resource "aws_wafv2_web_acl" "wordpress_waf" { id = "2e8635c1-e246-402d-95b3-5aab34b0325f" name = "wordpress_waf" tags = { "CostCentre" = "PlatformGCArticles" } # (9 unchanged attributes hidden) - rule { - name = "WordpressRateLimit" -> null - priority = 101 -> null - action { - block { - custom_response { - response_code = 429 -> null # (1 unchanged attribute hidden) - response_header { - name = "waf-block" -> null - value = "RateLimit" -> null } } } } - statement { - rate_based_statement { - aggregate_key_type = "IP" -> null - evaluation_window_sec = 300 -> null - limit = 2000 -> null } } - visibility_config { - cloudwatch_metrics_enabled = true -> null - metric_name = "WordpressRateLimit" -> null - sampled_requests_enabled = true -> null } } - rule { - name = "AWSManagedRulesAmazonIpReputationList" -> null - priority = 10 -> null - override_action { - none {} } - statement { - managed_rule_group_statement { - name = "AWSManagedRulesAmazonIpReputationList" -> null - vendor_name = "AWS" -> null # (1 unchanged attribute hidden) } } - visibility_config { - cloudwatch_metrics_enabled = true -> null - metric_name = "AWSManagedRulesAmazonIpReputationList" -> null - sampled_requests_enabled = true -> null } } - rule { - name = "AWSManagedRulesKnownBadInputsRuleSet" -> null - priority = 2 -> null - override_action { - none {} } - statement { - managed_rule_group_statement { - name = "AWSManagedRulesKnownBadInputsRuleSet" -> null - vendor_name = "AWS" -> null # (1 unchanged attribute hidden) } } - visibility_config { - cloudwatch_metrics_enabled = true -> null - metric_name = "AWSManagedRulesKnownBadInputsRuleSet" -> null - sampled_requests_enabled = true -> null } } - rule { - name = "AWSManagedRulesPHPRuleSet" -> null - priority = 8 -> null - override_action { - none {} } - statement { - managed_rule_group_statement { - name = "AWSManagedRulesPHPRuleSet" -> null - vendor_name = "AWS" -> null # (1 unchanged attribute hidden) } } - visibility_config { - cloudwatch_metrics_enabled = true -> null - metric_name = "AWSManagedRulesPHPRuleSet" -> null - sampled_requests_enabled = true -> null } } - rule { - name = "AWSManagedRulesWordPressRuleSet" -> null - priority = 9 -> null - override_action { - none {} } - statement { - managed_rule_group_statement { - name = "AWSManagedRulesWordPressRuleSet" -> null - vendor_name = "AWS" -> null # (1 unchanged attribute hidden) } } - visibility_config { - cloudwatch_metrics_enabled = true -> null - metric_name = "AWSManagedRulesWordPressRuleSet" -> null - sampled_requests_enabled = true -> null } } + rule { + name = "WordpressRateLimit" + priority = 110 + action { + block { + custom_response { + response_code = 429 # (1 unchanged attribute hidden) + response_header { + name = "waf-block" + value = "RateLimit" } } } } + statement { + rate_based_statement { + aggregate_key_type = "IP" + evaluation_window_sec = 300 + limit = 2000 } } + visibility_config { + cloudwatch_metrics_enabled = true + metric_name = "WordpressRateLimit" + sampled_requests_enabled = true } } + rule { + name = "BlockComments" + priority = 100 + action { + block { } } + statement { + and_statement { + statement { + byte_match_statement { + positional_constraint = "CONTAINS" + search_string = "wp-comments-post.php" + field_to_match { + uri_path {} } + text_transformation { + priority = 0 + type = "LOWERCASE" } } } + statement { + byte_match_statement { + positional_constraint = "EXACTLY" + search_string = "post" + field_to_match { + method {} } + text_transformation { + priority = 0 + type = "LOWERCASE" } } } } } + visibility_config { + cloudwatch_metrics_enabled = true + metric_name = "BlockComments" + sampled_requests_enabled = true } } + rule { + name = "AWSManagedRulesAmazonIpReputationList" + priority = 10 + override_action { + none {} } + statement { + managed_rule_group_statement { + name = "AWSManagedRulesAmazonIpReputationList" + vendor_name = "AWS" } } + visibility_config { + cloudwatch_metrics_enabled = true + metric_name = "AWSManagedRulesAmazonIpReputationList" + sampled_requests_enabled = true } } + rule { + name = "AWSManagedRulesKnownBadInputsRuleSet" + priority = 2 + override_action { + none {} } + statement { + managed_rule_group_statement { + name = "AWSManagedRulesKnownBadInputsRuleSet" + vendor_name = "AWS" } } + visibility_config { + cloudwatch_metrics_enabled = true + metric_name = "AWSManagedRulesKnownBadInputsRuleSet" + sampled_requests_enabled = true } } + rule { + name = "AWSManagedRulesPHPRuleSet" + priority = 8 + override_action { + none {} } + statement { + managed_rule_group_statement { + name = "AWSManagedRulesPHPRuleSet" + vendor_name = "AWS" } } + visibility_config { + cloudwatch_metrics_enabled = true + metric_name = "AWSManagedRulesPHPRuleSet" + sampled_requests_enabled = true } } + rule { + name = "AWSManagedRulesWordPressRuleSet" + priority = 9 + override_action { + none {} } + statement { + managed_rule_group_statement { + name = "AWSManagedRulesWordPressRuleSet" + vendor_name = "AWS" } } + visibility_config { + cloudwatch_metrics_enabled = true + metric_name = "AWSManagedRulesWordPressRuleSet" + sampled_requests_enabled = true } } # (10 unchanged blocks hidden) } Plan: 0 to add, 2 to change, 0 to destroy. Warning: Argument is deprecated with aws_s3_bucket.cloudfront_logs, on s3.tf line 4, in resource "aws_s3_bucket" "cloudfront_logs": 4: resource "aws_s3_bucket" "cloudfront_logs" { Use the aws_s3_bucket_server_side_encryption_configuration resource instead (and 5 more similar warnings elsewhere) ───────────────────────────────────────────────────────────────────────────── Saved the plan to: plan.tfplan To perform exactly these actions, run the following command to apply: terraform apply "plan.tfplan" ```
Show Conftest results ```sh WARN - plan.json - main - Missing Common Tags: ["aws_acm_certificate.wordpress"] WARN - plan.json - main - Missing Common Tags: ["aws_acm_certificate.wordpress_cloudfront"] WARN - plan.json - main - Missing Common Tags: ["aws_acm_certificate.wordpress_new[0]"] WARN - plan.json - main - Missing Common Tags: ["aws_acm_certificate.wordpress_new_cloudfront[0]"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudfront_distribution.wordpress"] WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.cache_buster"] WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.firehose_waf_logs"] WARN - plan.json - main - Missing Common Tags: ["aws_iam_role.firehose_waf_logs"] WARN - plan.json - main - Missing Common Tags: ["aws_iam_user.cache_buster"] WARN - plan.json - main - Missing Common Tags: ["aws_lb.wordpress"] WARN - plan.json - main - Missing Common Tags: ["aws_lb_listener.wordpress"] WARN - plan.json - main - Missing Common Tags: ["aws_lb_target_group.wordpress"] WARN - plan.json - main - Missing Common Tags: ["aws_s3_bucket.cloudfront_logs"] WARN - plan.json - main - Missing Common Tags: ["aws_wafv2_web_acl.wordpress_waf"] WARN - plan.json - main - Missing Common Tags: ["aws_wafv2_web_acl.wordpress_waf_alb"] 34 tests, 19 passed, 15 warnings, 0 failures, 0 exceptions ```