Update ingress waf variables, set rate limit to enabled by default

thoughtbot · Nov 23, 2023 · 44d6bef · 44d6bef
1 parent 570ee8b
commit 44d6bef
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 24 deletions.
diff --git a/aws/ingress/main.tf b/aws/ingress/main.tf
@@ -68,5 +68,8 @@ module "waf" {
   aws_managed_rule_groups = var.waf_aws_managed_rule_groups
   rate_limit              = var.waf_rate_limit
 
+  allowed_ip_list = var.waf_allowed_ip_list
+  block_ip_list   = var.waf_block_ip_list
+
   depends_on = [module.alb]
 }
diff --git a/aws/ingress/variables.tf b/aws/ingress/variables.tf
@@ -10,6 +10,18 @@ variable "alarm_actions" {
   default     = []
 }
 
+variable "waf_allowed_ip_list" {
+  description = "Applicable if WAF is enabled. List of allowed IP addresses, these IP addresses will be exempted from any configured rules"
+  type        = list(string)
+  default     = []
+}
+
+variable "waf_block_ip_list" {
+  description = "Applicable if WAF is enabled. List of IP addresses to be blocked and denied access to the ingress / cloudfront."
+  type        = list(string)
+  default     = []
+}
+
 variable "alternative_domain_names" {
   type        = list(string)
   default     = []
@@ -149,7 +161,7 @@ variable "waf_rate_limit" {
   type = object({
     Priority       = number                 # Relative processing order for rate limit rule relative to other rules processed by AWS WAF.
     Limit          = optional(number, 1000) # This is the limit on requests from any single IP address within a 5 minute period
-    count_override = optional(bool, true)   # If true, this will override the rule action setting to `count`, if false, the rule action will be set to `block`.
+    count_override = optional(bool, false)   # If true, this will override the rule action setting to `count`, if false, the rule action will be set to `block`. Default value is false.
   })
   default = {
     Priority = 10

diff --git a/aws/waf/main.tf b/aws/waf/main.tf
@@ -47,17 +47,8 @@ resource "aws_wafv2_web_acl" "main" {
     name     = "${var.name}-allowed-ip-list"
     priority = 0
 
-    dynamic "action" {
-      for_each = var.rate_limit["count_override"] == true ? [1] : []
-      content {
-        count {}
-      }
-    }
-    dynamic "action" {
-      for_each = var.rate_limit["count_override"] == false ? [1] : []
-      content {
-        allow {}
-      }
+    action {
+      allow {}
     }
 
     statement {
@@ -76,17 +67,8 @@ resource "aws_wafv2_web_acl" "main" {
     name     = "${var.name}-blocked-ip-list"
     priority = 1
 
-    dynamic "action" {
-      for_each = var.rate_limit["count_override"] == true ? [1] : []
-      content {
-        count {}
-      }
-    }
-    dynamic "action" {
-      for_each = var.rate_limit["count_override"] == false ? [1] : []
-      content {
-        block {}
-      }
+    action {
+      block {}
     }
 
     statement {

diff --git a/aws/waf/variables.tf b/aws/waf/variables.tf
@@ -34,7 +34,7 @@ variable "rate_limit" {
   type = object({
     Priority       = number                 # Relative processing order for rate limit rule relative to other rules processed by AWS WAF.
     Limit          = optional(number, 1000) # This is the limit on requests from any single IP address within a 5 minute period
-    count_override = optional(bool, true)   # If true, this will override the rule action setting to `count`, if false, the rule action will be set to `block`.
+    count_override = optional(bool, false)   # If true, this will override the rule action setting to `count`, if false, the rule action will be set to `block`. Default value is false.
   })
 }