Add template-category & template-categories to the waf rules

[whabanks]

Summary | Résumé

Add template-category & template-categories to the ADMIN WAF rules. Remove template-categories from the API WAF rules.

Related Issues | Cartes liées

Related Incident

Test instructions | Instructions pour tester la modification

Check if /template-categories works in production now...

Release Instructions | Instructions pour le déploiement

None.

Reviewer checklist | Liste de vérification du réviseur

• [ ] This PR does not break existing functionality.
• [ ] This PR does not violate GCNotify's privacy policies.
• [ ] This PR does not raise new security concerns. Refer to our GC Notify Risk Register document on our Google drive.
• [ ] This PR does not significantly alter performance.
• [ ] Additional required documentation resulting of these changes is covered (such as the README, setup instructions, a related ADR or the technical documentation).

⚠ If boxes cannot be checked off before merging the PR, they should be moved to the "Release Instructions" section with appropriate steps required to verify before release. For example, changes to celery code may require tests on staging to verify that performance has not been affected.

[github-actions[bot]]

Staging: common

✅   Terraform Init: success ✅   Terraform Validate: success ✅   Terraform Format: success ✅   Terraform Plan: success ✅   Conftest: success

Plan: 0 to add, 2 to change, 0 to destroy

Show summary

| CHANGE | NAME | |--------|-----------------------------------------| | update | `aws_wafv2_regex_pattern_set.re_admin2` | | | `aws_wafv2_regex_pattern_set.re_api` |

Show plan

```terraform Resource actions are indicated with the following symbols: ~ update in-place Terraform will perform the following actions: # aws_wafv2_regex_pattern_set.re_admin2 will be updated in-place ~ resource "aws_wafv2_regex_pattern_set" "re_admin2" { id = "4850246e-f23c-4156-b229-6d0a302bea05" name = "re_admin2" tags = { "CostCenter" = "notification-canada-ca-staging" } # (5 unchanged attributes hidden) - regular_expression { - regex_string = "/sitemap|/plandesite|/agree-terms|/getting-started|/decouvrir-notification-gc|/template-categories.*" -> null } + regular_expression { + regex_string = "/sitemap|/plandesite|/agree-terms|/getting-started|/decouvrir-notification-gc|/template-category.*|/template-categories.*" } } # aws_wafv2_regex_pattern_set.re_api will be updated in-place ~ resource "aws_wafv2_regex_pattern_set" "re_api" { id = "ddb868dd-2a8c-40e9-bfc0-cc5a25fc3aea" name = "re_api" tags = { "CostCenter" = "notification-canada-ca-staging" } # (5 unchanged attributes hidden) - regular_expression { - regex_string = "/_debug|/_status.*|/api-key.*|/complaint.*|/email-branding.*|/events.*|/inbound-number.*|/invite.*|/letter-branding.*|/letters.*|/template-category.*|/template-categories.*" -> null } + regular_expression { + regex_string = "/_debug|/_status.*|/api-key.*|/complaint.*|/email-branding.*|/events.*|/inbound-number.*|/invite.*|/letter-branding.*|/letters.*|/template-category.*" } # (1 unchanged block hidden) } Plan: 0 to add, 2 to change, 0 to destroy. Warning: Argument is deprecated with aws_s3_bucket.csv_bucket, on s3.tf line 5, in resource "aws_s3_bucket" "csv_bucket": 5: resource "aws_s3_bucket" "csv_bucket" { Use the aws_s3_bucket_lifecycle_configuration resource instead (and 69 more similar warnings elsewhere) ───────────────────────────────────────────────────────────────────────────── Saved the plan to: plan.tfplan To perform exactly these actions, run the following command to apply: terraform apply "plan.tfplan" ```

Show Conftest results

```sh WARN - plan.json - main - Missing Common Tags: ["aws_athena_workgroup.ad_hoc"] WARN - plan.json - main - Missing Common Tags: ["aws_athena_workgroup.build_tables"] WARN - plan.json - main - Missing Common Tags: ["aws_athena_workgroup.primary"] WARN - plan.json - main - Missing Common Tags: ["aws_athena_workgroup.support"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.aws_health[0]"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.route53_resolver_query_log[0]"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.sns_deliveries[0]"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.sns_deliveries_failures[0]"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.sns_deliveries_failures_us_west_2[0]"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.sns_deliveries_us_west_2[0]"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.bulk-bulk-not-being-processed-critical[0]"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.bulk-bulk-not-being-processed-warning[0]"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.bulk-inflights-not-being-processed-critical[0]"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.bulk-inflights-not-being-processed-warning[0]"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.bulk-not-being-processed-critical[0]"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.bulk-not-being-processed-warning[0]"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.contact-3-500-error-15-minutes-critical[0]"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.document-download-bucket-size-warning[0]"] WARN - plan.json - main - Missing Common Tags:... ```

[github-actions[bot]]

Staging: heartbeat

✅   Terraform Init: success ✅   Terraform Validate: success ✅   Terraform Format: success ✅   Terraform Plan: success ✅   Conftest: success

Plan: 0 to add, 1 to change, 0 to destroy

Show summary

| CHANGE | NAME | |--------|---------------------------------------------| | update | `module.heartbeat.aws_lambda_function.this` |

Show plan

```terraform Resource actions are indicated with the following symbols: ~ update in-place Terraform will perform the following actions: # module.heartbeat.aws_lambda_function.this will be updated in-place ~ resource "aws_lambda_function" "this" { - description = "2024-07-24T18:23:46Z" -> null id = "heartbeat" tags = { "CostCentre" = "notification-canada-ca-staging" "Terraform" = "true" } # (20 unchanged attributes hidden) # (4 unchanged blocks hidden) } Plan: 0 to add, 1 to change, 0 to destroy. ───────────────────────────────────────────────────────────────────────────── Saved the plan to: plan.tfplan To perform exactly these actions, run the following command to apply: terraform apply "plan.tfplan" ```

Show Conftest results

```sh WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.heartbeat_testing[0]"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.heartbeat_log_group[0]"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.logs-1-500-error-1-minute-warning-heartbeat-api[0]"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.logs-10-500-error-5-minutes-critical-heartbeat-api[0]"] 23 tests, 19 passed, 4 warnings, 0 failures, 0 exceptions ```

[github-actions[bot]]

Staging: quicksight

✅   Terraform Init: success ✅   Terraform Validate: success ✅   Terraform Format: success ✅   Terraform Plan: success ✅   Conftest: success

Plan: 0 to add, 1 to change, 0 to destroy

Show summary

| CHANGE | NAME | |--------|-------------------------------| | update | `aws_s3_object.manifest_file` |

Show plan

```terraform Resource actions are indicated with the following symbols: ~ update in-place Terraform will perform the following actions: # aws_s3_object.manifest_file will be updated in-place ~ resource "aws_s3_object" "manifest_file" { ~ etag = "4f558e8d8cdbbf914a95755cbda61968" -> "221f592f333f2fc284626cfdb8c4bc80" id = "quicksight/s3-manifest-sms-usage.json" tags = {} + version_id = (known after apply) # (11 unchanged attributes hidden) } Plan: 0 to add, 1 to change, 0 to destroy. ───────────────────────────────────────────────────────────────────────────── Saved the plan to: plan.tfplan To perform exactly these actions, run the following command to apply: terraform apply "plan.tfplan" ```

Show Conftest results

```sh WARN - plan.json - main - Missing Common Tags: ["aws_cloudformation_stack.sms-usage-notifications"] WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.quicksight-rds"] WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.quicksight-s3-usage"] WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.quicksight_vpc_connection_ec2"] WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.quicksight_vpc_connection_iam"] WARN - plan.json - main - Missing Common Tags: ["aws_iam_role.quicksight"] WARN - plan.json - main - Missing Common Tags: ["aws_iam_role.vpc_connection_role"] WARN - plan.json - main - Missing Common Tags: ["aws_quicksight_data_set.jobs"] WARN - plan.json - main - Missing Common Tags: ["aws_quicksight_data_set.login_events"] WARN - plan.json - main - Missing Common Tags: ["aws_quicksight_data_set.notifications"] WARN - plan.json - main - Missing Common Tags: ["aws_quicksight_data_set.organisation"] WARN - plan.json - main - Missing Common Tags: ["aws_quicksight_data_set.services"] WARN - plan.json - main - Missing Common Tags: ["aws_quicksight_data_set.sms_usage"] WARN - plan.json - main - Missing Common Tags: ["aws_quicksight_data_set.templates"] WARN - plan.json - main - Missing Common Tags: ["aws_quicksight_data_set.users"] WARN - plan.json - main - Missing Common Tags: ["aws_quicksight_data_source.rds"] WARN - plan.json - main - Missing Common Tags: ["aws_quicksight_data_source.s3_sms_usage"] WARN - plan.json - main - Missing Common Tags: ["aws_quicksight_vpc_connection.rds"] WARN - plan.json - main - Missing Common Tags: ["aws_s3_object.manifest_file"] 38 tests, 19 passed, 19 warnings, 0 failures, 0 exceptions ```

[github-actions[bot]]

Staging: system_status

✅   Terraform Init: success ✅   Terraform Validate: success ✅   Terraform Format: success ✅   Terraform Plan: success ✅   Conftest: success

Plan: 0 to add, 1 to change, 0 to destroy

Show summary

| CHANGE | NAME | |--------|-------------------------------------------------| | update | `module.system_status.aws_lambda_function.this` |

Show plan

```terraform Resource actions are indicated with the following symbols: ~ update in-place Terraform will perform the following actions: # module.system_status.aws_lambda_function.this will be updated in-place ~ resource "aws_lambda_function" "this" { - description = "2024-07-24T18:23:54Z" -> null id = "system_status" tags = { "CostCentre" = "notification-canada-ca-staging" "Terraform" = "true" } # (21 unchanged attributes hidden) # (5 unchanged blocks hidden) } Plan: 0 to add, 1 to change, 0 to destroy. ───────────────────────────────────────────────────────────────────────────── Saved the plan to: plan.tfplan To perform exactly these actions, run the following command to apply: terraform apply "plan.tfplan" ```

Show Conftest results

```sh WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.system_status_testing[0]"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.system_status_log_group[0]"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.logs-1-500-error-1-minute-warning-system_status-api[0]"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.logs-10-500-error-5-minutes-critical-system_status-api[0]"] 23 tests, 19 passed, 4 warnings, 0 failures, 0 exceptions ```