| 123456789101112131415161718192021222324252627 |
- module "waf" {
- source = "../../submodules/wafv2"
- # Custom to resource
- allowed_ips = [] # bypasses filters, so should not be needed/used unless warranted. We previously did var.admin_remote_ipset, but that seems like a bad idea
- additional_blocked_ips = [] # NOTE: There is a standard list in the submodule
- admin_ips = concat(local.zscalar_ips, local.admin_ips)
- resource_arn = aws_alb.portal.arn
- fqdns = module.public_dns_record.forward # first entry in list will be the WAF name
- excluded_rules_AWSManagedRulesCommonRuleSet = [
- "SizeRestrictions_BODY",
- "GenericRFI_BODY", # Blocks portal lambda MSOCI-2060
- "CrossSiteScripting_BODY", # Blocks portal API MSOCI-2121
- "EC2MetaDataSSRF_BODY", # Blocks portal API MSOCI-2121
- ]
- excluded_rules_AWSManagedRulesUnixRuleSet = [
- "UNIXShellCommandsVariables_BODY", # Blocks portal API MSOCI-2121
- ]
- # These are passed through and should be the same for module
- tags = merge(local.standard_tags, var.tags)
- aws_partition = var.aws_partition
- aws_region = var.aws_region
- aws_account_id = var.aws_account_id
- }
|
