fix: unique name for WAF's login URI path regex

[patheard]

Summary

Update the WAF login URI path regex pattern set to have a unique name.

Related

• 303

• 298

[github-actions[bot]]

Staging: cloudfront

✅   Terraform Init: success ✅   Terraform Validate: success ✅   Terraform Format: success ✅   Terraform Plan: success ✅   Conftest: success

Plan: 1 to add, 1 to change, 0 to destroy

Show summary

| CHANGE | NAME | |--------|-----------------------------------------------| | add | `aws_wafv2_regex_pattern_set.login_uri_paths` | | update | `aws_wafv2_web_acl.api_waf` |

Show plan

```terraform Resource actions are indicated with the following symbols: + create ~ update in-place Terraform will perform the following actions: # aws_wafv2_regex_pattern_set.login_uri_paths will be created + resource "aws_wafv2_regex_pattern_set" "login_uri_paths" { + arn = (known after apply) + description = "Regex to match the login paths of the API" + id = (known after apply) + lock_token = (known after apply) + name = "login-uri-paths" + scope = "CLOUDFRONT" + tags = { + "CostCentre" = "url-shortener-staging" + "Terraform" = "true" } + tags_all = { + "CostCentre" = "url-shortener-staging" + "Terraform" = "true" } + regular_expression { + regex_string = "^/en/(login|magic-link)/?$" } + regular_expression { + regex_string = "^/fr/(connexion|lien-magique)/?$" } } # aws_wafv2_web_acl.api_waf will be updated in-place ~ resource "aws_wafv2_web_acl" "api_waf" { id = "3b75fcdd-f01d-467b-92c2-cbb021fea8e9" name = "url-shortener-waf" tags = { "CostCentre" = "url-shortener-staging" "Terraform" = "true" } # (6 unchanged attributes hidden) + rule { + name = "LoginAPIRateLimit" + priority = 25 + action { + block { + custom_response { + custom_response_body_key = "json_request_rate_limited_error_response" + response_code = 429 } } } + statement { + rate_based_statement { + aggregate_key_type = "IP" + limit = 100 + scope_down_statement { + regex_pattern_set_reference_statement { + arn = (known after apply) + field_to_match { + uri_path {} } + text_transformation { + priority = 1 + type = "COMPRESS_WHITE_SPACE" } + text_transformation { + priority = 2 + type = "LOWERCASE" } } } } } + visibility_config { + cloudwatch_metrics_enabled = true + metric_name = "LoginAPIRateLimit" + sampled_requests_enabled = true } } - rule { - name = "AWSManagedRulesAmazonIpReputationList" -> null - priority = 10 -> null - override_action { - none {} } - statement { - managed_rule_group_statement { - name = "AWSManagedRulesAmazonIpReputationList" -> null - vendor_name = "AWS" -> null } } - visibility_config { - cloudwatch_metrics_enabled = true -> null - metric_name = "AWSManagedRulesAmazonIpReputationList" -> null - sampled_requests_enabled = true -> null } } + rule { + name = "AWSManagedRulesAmazonIpReputationList" + priority = 10 + override_action { + none {} } + statement { + managed_rule_group_statement { + name = "AWSManagedRulesAmazonIpReputationList" + vendor_name = "AWS" } } + visibility_config { + cloudwatch_metrics_enabled = true + metric_name = "AWSManagedRulesAmazonIpReputationList" + sampled_requests_enabled = true } } - rule { - name = "AWSManagedRulesCommonRuleSet" -> null - priority = 30 -> null - override_action { - none {} } - statement { - managed_rule_group_statement { - name = "AWSManagedRulesCommonRuleSet" -> null - vendor_name = "AWS" -> null } } - visibility_config { - cloudwatch_metrics_enabled = true -> null - metric_name = "AWSManagedRulesCommonRuleSet" -> null - sampled_requests_enabled = true -> null } } + rule { + name = "AWSManagedRulesCommonRuleSet" + priority = 30 + override_action { + none {} } + statement { + managed_rule_group_statement { + name = "AWSManagedRulesCommonRuleSet" + vendor_name = "AWS" } } + visibility_config { + cloudwatch_metrics_enabled = true + metric_name = "AWSManagedRulesCommonRuleSet" + sampled_requests_enabled = true } } - rule { - name = "AWSManagedRulesKnownBadInputsRuleSet" -> null - priority = 40 -> null - override_action { - none {} } - statement { - managed_rule_group_statement { - name = "AWSManagedRulesKnownBadInputsRuleSet" -> null - vendor_name = "AWS" -> null } } - visibility_config { - cloudwatch_metrics_enabled = true -> null - metric_name = "AWSManagedRulesKnownBadInputsRuleSet" -> null - sampled_requests_enabled = true -> null } } + rule { + name = "AWSManagedRulesKnownBadInputsRuleSet" + priority = 40 + override_action { + none {} } + statement { + managed_rule_group_statement { + name = "AWSManagedRulesKnownBadInputsRuleSet" + vendor_name = "AWS" } } + visibility_config { + cloudwatch_metrics_enabled = true + metric_name = "AWSManagedRulesKnownBadInputsRuleSet" + sampled_requests_enabled = true } } - rule { - name = "AWSManagedRulesLinuxRuleSet" -> null - priority = 50 -> null - override_action { - none {} } - statement { - managed_rule_group_statement { - name = "AWSManagedRulesLinuxRuleSet" -> null - vendor_name = "AWS" -> null } } - visibility_config { - cloudwatch_metrics_enabled = true -> null - metric_name = "AWSManagedRulesLinuxRuleSet" -> null - sampled_requests_enabled = true -> null } } + rule { + name = "AWSManagedRulesLinuxRuleSet" + priority = 50 + override_action { + none {} } + statement { + managed_rule_group_statement { + name = "AWSManagedRulesLinuxRuleSet" + vendor_name = "AWS" } } + visibility_config { + cloudwatch_metrics_enabled = true + metric_name = "AWSManagedRulesLinuxRuleSet" + sampled_requests_enabled = true } } # (6 unchanged blocks hidden) } Plan: 1 to add, 1 to change, 0 to destroy. ───────────────────────────────────────────────────────────────────────────── Saved the plan to: plan.tfplan To perform exactly these actions, run the following command to apply: terraform apply "plan.tfplan" Releasing state lock. This may take a few moments... ```

Show Conftest results

```sh WARN - plan.json - main - Missing Common Tags: ["module.resolver_dns.aws_route53_resolver_firewall_rule_group_association.firewall_rules[0]"] WARN - plan.json - main - Missing Common Tags: ["module.resolver_dns.aws_route53_resolver_query_log_config.route53_vpc_dns"] 19 tests, 17 passed, 2 warnings, 0 failures, 0 exceptions ```