module "waf" {
  source = "../../submodules/wafv2"

  # Custom to resource
  allowed_ips            = [] # bypasses filters, so should not be needed/used unless warranted
  admin_ips              = concat(local.zscalar_ips, local.admin_ips)
  additional_blocked_ips = [] # NOTE: There is a standard list in the submodule
  resource_arn           = aws_alb.external.arn
  fqdns = [ # first entry in list will be the WAF name
    "${var.instance_name}.${var.dns_info["public"]["zone"]}"
    # example, to add additional valid hostnames
    #    keys(module.public_dns_record_cust-auth-elb.forward),
  ]

  # Set to 'false' to set as 'count only'
  block_settings = {
    default                               = true, # Default action. False = count
    custom                                = true, # XDR Custom Rules. False = count
    admin                                 = true, # /admin folder
    AWSManagedRulesCommonRuleSet          = true,
    AWSManagedRulesAmazonIpReputationList = true,
    AWSManagedRulesKnownBadInputsRuleSet  = true,
    AWSManagedRulesSQLiRuleSet            = true,
    AWSManagedRulesLinuxRuleSet           = true,
    AWSManagedRulesUnixRuleSet            = true,
  }

  excluded_rules_AWSManagedRulesSQLiRuleSet = [
  ]

  excluded_rules_AWSManagedRulesUnixRuleSet = [
  ]

  excluded_rules_AWSManagedRulesLinuxRuleSet = [
    "LFI_URIPATH", # /web/config.js needed
  ]

  excluded_rules_AWSManagedRulesCommonRuleSet = [
    "SizeRestrictions_BODY", # for SAML
    "EC2MetaDataSSRF_BODY",  # for SAML
    "GenericRFI_BODY",       # for SAML
  ]

  # These are passed through and should be the same for module
  tags           = merge(local.standard_tags, var.tags)
  aws_partition  = var.aws_partition
  aws_region     = var.aws_region
  aws_account_id = var.aws_account_id
}

# Example: If you want to attach the WAF to an additional ALB
#
# Share a WAF for both services, should be cheaper due to scale, but can be easily separated out
# using the commented section below, if the need arises.

#resource "aws_wafv2_web_acl_association" "associate-auth-to-waf" {
#  resource_arn = aws_lb.searchhead-auth-alb.arn
#  web_acl_arn  = module.waf.web_acl_id
#}

# Example: If you want a second WAF, that should be straightforward
#module "waf-auth" {
#  source = "../../../submodules/wafv2"
#
#  # Custom to resource
#  allowed_ips = [ ] # bypasses filters, so should not be needed/used unless warranted
#  additional_blocked_ips = [ ] # NOTE: There is a standard list in the submodule
#  resource_arn = aws_lb.searchhead-auth-alb.arn
#  fqdns = keys(module.public_dns_record_cust-auth-elb.forward) # first entry in list will be the WAF name
#
#  # These are passed through and should be the same for module
#  tags = merge(local.standard_tags, var.tags)
#  aws_partition = var.aws_partition
#  aws_region = var.aws_region
#  aws_account_id = var.aws_account_id
#}