The final task for ensuring the architecture matches the security diagram sent to clients
Additionally, the pinned version of Terraform we were using didn't have the rule_option_override argument for WAF resources. The only option available was excluded_rule which has been deprecated by Amazon
Testing
run terraform --version to ensure the proper version is installed (As of this PR that will be 4.59.0)
If that isn't the version you have locally, you may need to run the terraform init -upgrade command to make sure the provider version is compatible with the version in terraform's state.
Check the console to ensure that the WAF is properly configured.
Open Question
One of the WAF checkov triggers is a logging configuration for WAF using Kinesis. Is this something we want to add?
Raw notes from waf/main.tf
# AWS 31 (WAF needs a logging config) Needs three services:
# 1. WAF to generate logs
# 2. Kinesis Firehose to recieve logs
# 3. S3 to store the logs.
Ticket
https://wicmtdp.atlassian.net/browse/PRP-162
Changes
Context for reviewers
Testing
terraform --versionto ensure the proper version is installed (As of this PR that will be4.59.0)terraform init -upgradecommand to make sure the provider version is compatible with the version in terraform's state.Open Question One of the WAF checkov triggers is a logging configuration for WAF using Kinesis. Is this something we want to add? Raw notes from
waf/main.tfAdditional Reading