Custom Exclusions for WAFv2; Disables Rate Limiting

* With zscalar, rate limiting is ineffective. Disabling.
* Adds the ability to specify custom excluded rules per WAF
* Excludes the SQL injection rule from jira, as it was firing false
  positives.

To be tagged v3.2.3

base/jira/instance_jira/waf.tf

@@ -11,6 +11,9 @@ module "waf" {
     #    keys(module.public_dns_record_cust-auth-elb.forward),
   )
 
+  excluded_rules_AWSManagedRulesSQLiRuleSet = [
+    "SQLi_QUERYARGUMENTS"
+  ]
 
   # These are passed through and should be the same for module
   tags = merge(var.standard_tags, var.tags)

submodules/wafv2/vars.tf

@@ -1,3 +1,35 @@
+variable "excluded_rules_AWSManagedRulesCommonRuleSet" {
+  type = list(string)
+  default = [
+    "SizeRestrictions_BODY"  # Breaks too many things
+  ]
+}
+
+variable "excluded_rules_AWSManagedRulesAmazonIpReputationList" {
+  type = list(string)
+  default = [ ]
+}
+
+variable "excluded_rules_AWSManagedRulesKnownBadInputsRuleSet" {
+  type = list(string)
+  default = [ ]
+}
+
+variable "excluded_rules_AWSManagedRulesSQLiRuleSet" {
+  type = list(string)
+  default = [ ]
+}
+
+variable "excluded_rules_AWSManagedRulesLinuxRuleSet" {
+  type = list(string)
+  default = [ ]
+}
+
+variable "excluded_rules_AWSManagedRulesUnixRuleSet" {
+  type = list(string)
+  default = [ ]
+}
+
 variable "allowed_ips" { type = list(string) }
 variable "additional_blocked_ips" { type = list(string) }
 variable "resource_arn" { type = string }

submodules/wafv2/waf.tf

@@ -135,51 +135,49 @@ module "wafv2" {
   ]
 
   # A rate-based rule tracks the rate of requests for each originating IP address, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span
-  # zscalar needs high rates
-  ip_rate_based_rule = {
-    name     = "Rate_Limit"
-    priority = 200
-    limit    = 3000 # 6000 requests per 5 minutes= 10 requests/second (sustained for 5 minutes)
-    action   = "block"
-  }
+  # Because of zscalar, this is completely ineffective for us.
+  #ip_rate_based_rule = {
+  #  name     = "Rate_Limit"
+  #  priority = 200
+  #  limit    = 3000 # 6000 requests per 5 minutes= 10 requests/second (sustained for 5 minutes)
+  #  action   = "block"
+  #}
 
   # AWS managed rulesets
   # Baseline was from trussworks/wafv2/aws, but copied here to be customized for our use and renumbered.
   managed_rules =  [
     {
-      "excluded_rules": [
-        "SizeRestrictions_BODY"  # Breaks too many things
-      ],
+      "excluded_rules": var.excluded_rules_AWSManagedRulesCommonRuleSet,
       "name": "AWSManagedRulesCommonRuleSet",
       "override_action": "none",
       "priority": 510
     },
     {
-      "excluded_rules": [],
+      "excluded_rules": var.excluded_rules_AWSManagedRulesAmazonIpReputationList,
       "name": "AWSManagedRulesAmazonIpReputationList",
       "override_action": "none",
       "priority": 520
     },
     {
-      "excluded_rules": [],
+      "excluded_rules": var.excluded_rules_AWSManagedRulesKnownBadInputsRuleSet,
       "name": "AWSManagedRulesKnownBadInputsRuleSet",
       "override_action": "none",
       "priority": 530
     },
     {
-      "excluded_rules": [],
+      "excluded_rules": var.excluded_rules_AWSManagedRulesSQLiRuleSet,
       "name": "AWSManagedRulesSQLiRuleSet",
       "override_action": "none",
       "priority": 540
     },
     {
-      "excluded_rules": [],
+      "excluded_rules": var.excluded_rules_AWSManagedRulesLinuxRuleSet,
       "name": "AWSManagedRulesLinuxRuleSet",
       "override_action": "none",
       "priority": 550
     },
     {
-      "excluded_rules": [],
+      "excluded_rules": var.excluded_rules_AWSManagedRulesUnixRuleSet,
       "name": "AWSManagedRulesUnixRuleSet",
       "override_action": "none",
       "priority": 560