module "waf" {
  source = "../../../submodules/wafv2"

  # Custom to resource
  allowed_ips            = [] # bypasses filters, so should not be needed/used unless warranted
  admin_ips              = concat(local.zscalar_ips, local.admin_ips)
  additional_blocked_ips = [] # NOTE: There is a standard list in the submodule
  resource_arn           = aws_lb.searchhead-alb.arn
  fqdns = concat( # first entry in list will be the WAF name
    module.public_dns_record_cust-elb.forward,
    # example, to add additional valid hostnames
    #    keys(module.public_dns_record_cust-auth-elb.forward),
  )

  excluded_rules_AWSManagedRulesCommonRuleSet = [
    "SizeRestrictions_BODY",
    "SizeRestrictions_QUERYSTRING",
    "RestrictedExtensions_URIPATH",
    "RestrictedExtensions_QUERYARGUMENTS",
    "EC2MetaDataSSRF_BODY",
    "GenericLFI_BODY",
  ]
  excluded_rules_AWSManagedRulesSQLiRuleSet = [
    "SQLi_QUERYARGUMENTS",
    "SQLi_BODY",
  ]
  excluded_rules_AWSManagedRulesUnixRuleSet = [
    "UNIXShellCommandsVariables_BODY",
    "UNIXShellCommandsVariables_QUERYARGUMENTS",
  ]
  excluded_rules_AWSManagedRulesLinuxRuleSet = [
    "LFI_QUERYSTRING",
  ]

  # These are passed through and should be the same for module
  tags           = merge(local.standard_tags, var.tags)
  aws_partition  = var.aws_partition
  aws_region     = var.aws_region
  aws_account_id = var.aws_account_id
}

# Example: If you want to attach the WAF to an additional ALB
#
# Share a WAF for both services, should be cheaper due to scale, but can be easily separated out
# using the commented section below, if the need arises.

#resource "aws_wafv2_web_acl_association" "associate-auth-to-waf" {
#  resource_arn = aws_lb.searchhead-auth-alb.arn
#  web_acl_arn  = module.waf.web_acl_id
#}

# Example: If you want a second WAF, that should be straightforward
#module "waf-auth" {
#  source = "../../../submodules/wafv2"
#
#  # Custom to resource
#  allowed_ips = [ ] # bypasses filters, so should not be needed/used unless warranted
#  additional_blocked_ips = [ ] # NOTE: There is a standard list in the submodule
#  resource_arn = aws_lb.searchhead-auth-alb.arn
#  fqdns = keys(module.public_dns_record_cust-auth-elb.forward) # first entry in list will be the WAF name
#
#  # These are passed through and should be the same for module
#  tags = merge(local.standard_tags, var.tags)
#  aws_partition = var.aws_partition
#  aws_region = var.aws_region
#  aws_account_id = var.aws_account_id
#}