Merge pull request #312 from mdr-engineering/feature/ftd_MSOCI-1939_WAFforJira

Adds a WAF to jira

base/customer_portal/vars.tf

@@ -55,4 +55,4 @@ variable "instance_tags" {
   description = "Tags for the instance only."
   type = map(string)
   default = { }
-
+}

base/github/elbclassic.tf

@@ -24,6 +24,7 @@ module "public_dns_record_wildcard" {
   }
 }
 
+# If ever this gets converted to an ALB, consider adding the waf module.
 resource "aws_elb" "external" {
     name_prefix = "gheext"
     subnets     = var.public_subnets

base/jira/instance_jira/waf.tf

@@ -0,0 +1,47 @@
+module "waf" {
+  source = "../../../submodules/wafv2"
+
+  # Custom to resource
+  allowed_ips = [ ] # bypasses filters, so should not be needed/used unless warranted
+  additional_blocked_ips = [ ] # NOTE: There is a standard list in the submodule
+  resource_arn = aws_alb.jira_server_external.arn
+  fqdns = concat( # first entry in list will be the WAF name
+    keys(module.public_dns_record.forward),
+    # example, to add additional valid hostnames
+    #    keys(module.public_dns_record_cust-auth-elb.forward),
+  )
+
+
+  # These are passed through and should be the same for module
+  tags = merge(var.standard_tags, var.tags)
+  aws_partition = var.aws_partition
+  aws_region = var.aws_region
+  aws_account_id = var.aws_account_id
+}
+
+# Example: If you want to attach the WAF to an additional ALB
+#
+# Share a WAF for both services, should be cheaper due to scale, but can be easily separated out
+# using the commented section below, if the need arises.
+
+#resource "aws_wafv2_web_acl_association" "associate-auth-to-waf" {
+#  resource_arn = aws_lb.searchhead-auth-alb.arn
+#  web_acl_arn  = module.waf.web_acl_id
+#}
+
+# Example: If you want a second WAF, that should be straightforward
+#module "waf-auth" {
+#  source = "../../../submodules/wafv2"
+#
+#  # Custom to resource
+#  allowed_ips = [ ] # bypasses filters, so should not be needed/used unless warranted
+#  additional_blocked_ips = [ ] # NOTE: There is a standard list in the submodule
+#  resource_arn = aws_lb.searchhead-auth-alb.arn
+#  fqdns = keys(module.public_dns_record_cust-auth-elb.forward) # first entry in list will be the WAF name
+#
+#  # These are passed through and should be the same for module
+#  tags = merge(var.standard_tags, var.tags)
+#  aws_partition = var.aws_partition
+#  aws_region = var.aws_region
+#  aws_account_id = var.aws_account_id
+#}

submodules/wafv2/waf.tf

@@ -9,33 +9,46 @@
 # Goals:
 #  - US IPs only  -  https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-geo-match.html
 
+locals {
+  waf_name = replace(var.fqdns[0], ".", "_")
+}
+
 resource "aws_wafv2_ip_set" "blocked" {
-  name = "blocked_ips"
+  name = "${local.waf_name}_blocked_ips"
 
   scope              = "REGIONAL"
   ip_address_version = "IPV4"
 
   addresses = toset(concat(var.additional_blocked_ips, local.blocked_ips))
+
+  lifecycle {
+    create_before_destroy = true
+  }
 }
 
 resource "aws_wafv2_ip_set" "allowed" {
-  name = "allowed_ips"
+  name = "${local.waf_name}_allowed_ips"
 
   scope              = "REGIONAL"
   ip_address_version = "IPV4"
 
   addresses = var.allowed_ips
+
+  lifecycle {
+    create_before_destroy = true
+  }
 }
 
 resource "aws_wafv2_rule_group" "xdr_custom_rules" {
-  name = "xdr_custom_rules"
+  name = "${local.waf_name}_xdr_custom_rules"
   scope    = "REGIONAL"
   capacity = 1
 
   # Note, there is visibilty config for the group and for the rule
   visibility_config {
     cloudwatch_metrics_enabled = true
-    metric_name                = "xdr_custom_rules"
+    metric_name                = "${local.waf_name}_xdr_custom_rules"
+    #metric_name                = "xdr_custom_rules"
     sampled_requests_enabled   = true
   }
 
@@ -68,13 +81,17 @@ resource "aws_wafv2_rule_group" "xdr_custom_rules" {
   }
 
   # Add additional custom rules here
+
+  lifecycle {
+    create_before_destroy = true
+  }
 }
 
 module "wafv2" {
   source = "trussworks/wafv2/aws"
   version = "= 2.4.0"
 
-  name   = replace(var.fqdns[0], ".", "_")
+  name   = local.waf_name
   scope = "REGIONAL"
 
   alb_arn       = var.resource_arn