# This can be removed once WAFv2 is enabled in prod
 locals {
  blacklisted_ips = [
    {
      "value" = "172.16.0.0/16"
      type    = "IPV4"
    },
    {
      "value" = "192.168.0.0/16"
      type    = "IPV4"
    },
    {
      "value" = "169.254.0.0/16"
      type    = "IPV4"
    },
    {
      "value" = "127.0.0.1/32"
      type    = "IPV4"
    },
  ]
  waf_prefix = "portal"
}

module "regional_waf" {
  source             = "../../submodules/waf_owasp_top10"
  waf_prefix         = local.waf_prefix
  blacklisted_ips    = local.blacklisted_ips
  admin_remote_ipset = var.admin_remote_ipset
}

resource "aws_wafregional_web_acl_association" "portal_alb_waf" {
  resource_arn = aws_alb.portal.arn
  web_acl_id   = module.regional_waf.web_acl_id
}