PLT-585: Add override to aws-common ruleset for XSS check (#121)

.github/workflows/api-waf-apply.yml

@@ -7,6 +7,7 @@ on:
     paths:
       - .github/workflows/api-waf-apply.yml
       - terraform/services/api-waf/**
+      - terraform/modules/firewall/**
   workflow_dispatch: # Allow manual trigger
 
 jobs:

.github/workflows/api-waf-plan.yml

@@ -5,6 +5,7 @@ on:
     paths:
       - .github/workflows/api-waf-plan.yml
       - terraform/services/api-waf/**
+      - terraform/modules/firewall/**
   workflow_dispatch: # Allow manual trigger
 
 jobs:

terraform/modules/firewall/main.tf

@@ -107,6 +107,14 @@ resource "aws_wafv2_web_acl" "this" {
       managed_rule_group_statement {
         name        = "AWSManagedRulesCommonRuleSet"
         vendor_name = "AWS"
+
+        # Override for XSS block on request body, DPC team sends HTML blocks in requests to certain endpoints
+        rule_action_override {
+          name = "CrossSiteScripting_BODY"
+          action_to_use {
+            count {}
+          }
+        }
       }
     }