diff --git a/src/infra/modules/backend/lambda.tf b/src/infra/modules/backend/lambda.tf index 8770d2c2..72f77b37 100644 --- a/src/infra/modules/backend/lambda.tf +++ b/src/infra/modules/backend/lambda.tf @@ -266,8 +266,8 @@ data "aws_ssm_parameter" "is_gh_integration_lambda" { data "aws_iam_policy_document" "is_gh_integration_lambda" { statement { - effect = "Allow" - actions = [ + effect = "Allow" + actions = [ "ssm:Describe*", "ssm:Get*", "ssm:List*" @@ -290,8 +290,8 @@ module "is_gh_integration_lambda" { publish = true - attach_policy_json = true - policy_json = data.aws_iam_policy_document.is_gh_integration_lambda.json + attach_policy_json = true + policy_json = data.aws_iam_policy_document.is_gh_integration_lambda.json cloudwatch_logs_retention_in_days = var.is_gh_integration_lambda.cloudwatch_logs_retention_in_days diff --git a/src/infra/modules/frontend/locals.tf b/src/infra/modules/frontend/locals.tf new file mode 100644 index 00000000..c2c3aa5e --- /dev/null +++ b/src/infra/modules/frontend/locals.tf @@ -0,0 +1,32 @@ +locals { + web_acl_rules = [ + { + name = "IpReputationList" + priority = 1 + managed_rule_group_name = "AWSManagedRulesAmazonIpReputationList" + vendor_name = "AWS" + metric_name = "IpReputationList" + }, + { + name = "CommonRuleSet" + priority = 2 + managed_rule_group_name = "AWSManagedRulesCommonRuleSet" + vendor_name = "AWS" + metric_name = "CommonRuleSet" + }, + { + name = "KnownBadInputsRuleSet" + priority = 3 + managed_rule_group_name = "AWSManagedRulesKnownBadInputsRuleSet" + vendor_name = "AWS" + metric_name = "KnownBadInputsRuleSet" + }, + { + name = "SQLiRuleSet" + priority = 4 + managed_rule_group_name = "AWSManagedRulesSQLiRuleSet" + vendor_name = "AWS" + metric_name = "SQLiRuleSet" + } + ] +} diff --git a/src/infra/modules/frontend/main.tf b/src/infra/modules/frontend/main.tf index 724ce6e5..c96756d8 100644 --- a/src/infra/modules/frontend/main.tf +++ b/src/infra/modules/frontend/main.tf @@ -192,93 +192,31 @@ resource "aws_wafv2_web_acl" "main" { allow {} } - rule { - name = "IpReputationList" - priority = 1 - override_action { - count {} - } - - statement { - managed_rule_group_statement { - name = "AWSManagedRulesAmazonIpReputationList" - vendor_name = "AWS" - } - } - - visibility_config { - cloudwatch_metrics_enabled = var.web_acl.cloudwatch_metrics_enabled - metric_name = "IpReputationList" - sampled_requests_enabled = var.web_acl.sampled_requests_enabled - } - } + dynamic "rule" { + for_each = { for r in local.web_acl_rules : r.name => r } + content { + name = rule.value.name + priority = rule.value.priority - rule { - name = "CommonRuleSet" - priority = 2 - - override_action { - count {} - } - - statement { - managed_rule_group_statement { - name = "AWSManagedRulesCommonRuleSet" - vendor_name = "AWS" + override_action { + count {} } - } - - visibility_config { - cloudwatch_metrics_enabled = var.web_acl.cloudwatch_metrics_enabled - metric_name = "CommonRuleSet" - sampled_requests_enabled = var.web_acl.sampled_requests_enabled - } - } - - rule { - name = "KnownBadInputsRuleSet" - priority = 3 - - override_action { - count {} - } - statement { - managed_rule_group_statement { - name = "AWSManagedRulesKnownBadInputsRuleSet" - vendor_name = "AWS" + statement { + managed_rule_group_statement { + name = rule.value.managed_rule_group_name + vendor_name = rule.value.vendor_name + } } - } - visibility_config { - cloudwatch_metrics_enabled = var.web_acl.cloudwatch_metrics_enabled - metric_name = "KnownBadInputsRuleSet" - sampled_requests_enabled = var.web_acl.sampled_requests_enabled - } - } - - rule { - name = "SQLiRuleSet" - priority = 4 - - override_action { - count {} - } - - statement { - managed_rule_group_statement { - name = "AWSManagedRulesSQLiRuleSet" - vendor_name = "AWS" + visibility_config { + cloudwatch_metrics_enabled = var.web_acl.cloudwatch_metrics_enabled + metric_name = rule.value.metric_name + sampled_requests_enabled = var.web_acl.sampled_requests_enabled } } - - visibility_config { - cloudwatch_metrics_enabled = var.web_acl.cloudwatch_metrics_enabled - metric_name = "SQLiRuleSet" - sampled_requests_enabled = var.web_acl.sampled_requests_enabled - } } tags = { Name = var.web_acl.name } diff --git a/src/infra/prod/eu-central-1/variables.tf b/src/infra/prod/eu-central-1/variables.tf index 79fcf19e..27437297 100644 --- a/src/infra/prod/eu-central-1/variables.tf +++ b/src/infra/prod/eu-central-1/variables.tf @@ -183,7 +183,7 @@ variable "cie_entity_id" { } variable "is_gh_sns_arn" { - type = string + type = string # default = "arn:aws:sns:eu-south-1:116453376486:history" default = null } diff --git a/src/infra/prod/eu-south-1/variables.tf b/src/infra/prod/eu-south-1/variables.tf index 7e7fce57..afd45ee6 100644 --- a/src/infra/prod/eu-south-1/variables.tf +++ b/src/infra/prod/eu-south-1/variables.tf @@ -354,8 +354,8 @@ variable "alarm_subscribers" { } variable "is_gh_sns_arn" { - type = string - # default = "arn:aws:sns:eu-south-1:116453376486:history" + type = string + # default = "arn:aws:sns:eu-south-1:116453376486:history" default = null }