From 18642f122f91ab5dd17393b06e0164a7ed90cc05 Mon Sep 17 00:00:00 2001
From: gfreeman-navapbc <129095098+gfreeman-navapbc@users.noreply.github.com>
Date: Thu, 5 Sep 2024 09:51:51 -0700
Subject: [PATCH] PLT-585: Add override to aws-common ruleset for XSS check
 (#121)

---
 .github/workflows/api-waf-apply.yml | 1 +
 .github/workflows/api-waf-plan.yml  | 1 +
 terraform/modules/firewall/main.tf  | 8 ++++++++
 3 files changed, 10 insertions(+)

diff --git a/.github/workflows/api-waf-apply.yml b/.github/workflows/api-waf-apply.yml
index 400a3761..93479764 100644
--- a/.github/workflows/api-waf-apply.yml
+++ b/.github/workflows/api-waf-apply.yml
@@ -7,6 +7,7 @@ on:
     paths:
       - .github/workflows/api-waf-apply.yml
       - terraform/services/api-waf/**
+      - terraform/modules/firewall/**
   workflow_dispatch: # Allow manual trigger
 
 jobs:
diff --git a/.github/workflows/api-waf-plan.yml b/.github/workflows/api-waf-plan.yml
index d5abb2ac..154d41b1 100644
--- a/.github/workflows/api-waf-plan.yml
+++ b/.github/workflows/api-waf-plan.yml
@@ -5,6 +5,7 @@ on:
     paths:
       - .github/workflows/api-waf-plan.yml
       - terraform/services/api-waf/**
+      - terraform/modules/firewall/**
   workflow_dispatch: # Allow manual trigger
 
 jobs:
diff --git a/terraform/modules/firewall/main.tf b/terraform/modules/firewall/main.tf
index 7f9a4eea..32d3b061 100644
--- a/terraform/modules/firewall/main.tf
+++ b/terraform/modules/firewall/main.tf
@@ -107,6 +107,14 @@ resource "aws_wafv2_web_acl" "this" {
       managed_rule_group_statement {
         name        = "AWSManagedRulesCommonRuleSet"
         vendor_name = "AWS"
+
+        # Override for XSS block on request body, DPC team sends HTML blocks in requests to certain endpoints
+        rule_action_override {
+          name = "CrossSiteScripting_BODY"
+          action_to_use {
+            count {}
+          }
+        }
       }
     }