diff --git a/.github/workflows/api-waf-apply.yml b/.github/workflows/api-waf-apply.yml index 400a3761..93479764 100644 --- a/.github/workflows/api-waf-apply.yml +++ b/.github/workflows/api-waf-apply.yml @@ -7,6 +7,7 @@ on: paths: - .github/workflows/api-waf-apply.yml - terraform/services/api-waf/** + - terraform/modules/firewall/** workflow_dispatch: # Allow manual trigger jobs: diff --git a/.github/workflows/api-waf-plan.yml b/.github/workflows/api-waf-plan.yml index d5abb2ac..154d41b1 100644 --- a/.github/workflows/api-waf-plan.yml +++ b/.github/workflows/api-waf-plan.yml @@ -5,6 +5,7 @@ on: paths: - .github/workflows/api-waf-plan.yml - terraform/services/api-waf/** + - terraform/modules/firewall/** workflow_dispatch: # Allow manual trigger jobs: diff --git a/terraform/modules/firewall/main.tf b/terraform/modules/firewall/main.tf index 7f9a4eea..32d3b061 100644 --- a/terraform/modules/firewall/main.tf +++ b/terraform/modules/firewall/main.tf @@ -107,6 +107,14 @@ resource "aws_wafv2_web_acl" "this" { managed_rule_group_statement { name = "AWSManagedRulesCommonRuleSet" vendor_name = "AWS" + + # Override for XSS block on request body, DPC team sends HTML blocks in requests to certain endpoints + rule_action_override { + name = "CrossSiteScripting_BODY" + action_to_use { + count {} + } + } } }