module "waf" {
  source = "../../submodules/wafv2"

  # Custom to resource
  allowed_ips            = [] # bypasses filters, so should not be needed/used unless warranted. We previously did var.admin_remote_ipset, but that seems like a bad idea
  additional_blocked_ips = [] # NOTE: There is a standard list in the submodule
  admin_ips              = concat(local.zscalar_ips, local.admin_ips)
  resource_arn           = aws_alb.portal.arn
  fqdns                  = module.public_dns_record.forward # first entry in list will be the WAF name

  excluded_rules_AWSManagedRulesCommonRuleSet = [
    "SizeRestrictions_BODY",
    "GenericRFI_BODY",         # Blocks portal lambda MSOCI-2060
    "CrossSiteScripting_BODY", # Blocks portal API MSOCI-2121
    "EC2MetaDataSSRF_BODY",    # Blocks portal API MSOCI-2121
  ]

  excluded_rules_AWSManagedRulesUnixRuleSet = [
    "UNIXShellCommandsVariables_BODY", # Blocks portal API MSOCI-2121
  ]

  # These are passed through and should be the same for module
  tags           = merge(local.standard_tags, var.tags)
  aws_partition  = var.aws_partition
  aws_region     = var.aws_region
  aws_account_id = var.aws_account_id
}