Consolidate WAF rules into a single one by default for FilmDrop endpo…

…ints (#76)

CHANGELOG.md

@@ -12,6 +12,10 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 - Builtin lambdas added to cirrus module along with script to update deployment zip
 - API Gateway infrastructure for Cirrus API
 
+### Changed
+
+- Consolidated WAF rules into a single one by default for cost savings
+
 ## 2.27.0 - 2024-05-31
 
 ### Changed

README.md

@@ -244,6 +244,7 @@ deploy_titiler = false
 deploy_console_ui = false
 deploy_cirrus_dashboard = false
 deploy_local_stac_server_artifacts = false
+deploy_waf_rule = false
 ```
 
 ```shell

ci.tfvars

@@ -24,6 +24,7 @@ stac_server_inputs = {
  app_name = "stac_server"
  version = "v3.8.0"
  deploy_cloudfront = false
+ web_acl_id = ""
  domain_alias = ""
  enable_transactions_extension = false
  collection_to_index_mappings = ""
@@ -40,7 +41,6 @@ stac_server_inputs = {
  cors_methods = ""
  cors_headers = ""
  authorized_s3_arns = []
- web_acl_id = ""
  auth_function = {
  cf_function_name = ""
  cf_function_runtime = "cloudfront-js-2.0"
@@ -94,6 +94,7 @@ analytics_inputs = {
  jupyterhub_elb_acm_cert_arn = ""
  jupyterhub_elb_domain_alias = ""
  create_credentials = true
+ web_acl_id = ""
  auth_function = {
  cf_function_name = ""
  cf_function_runtime = "cloudfront-js-2.0"
@@ -123,6 +124,7 @@ console_ui_inputs = {
  app_name = "console"
  domain_alias = ""
  deploy_cloudfront = false
+ web_acl_id = ""
  version = "v5.3.0"
  filmdrop_ui_config_file = "./profiles/console-ui/default-config/config.dev.json"
  filmdrop_ui_logo_file = "./profiles/console-ui/default-config/logo.png"
@@ -186,6 +188,7 @@ cirrus_dashboard_inputs = {
  app_name = "dashboard"
  domain_alias = ""
  deploy_cloudfront = false
+ web_acl_id = ""
  version = "v0.5.1"
  custom_error_response = [
  {
@@ -225,3 +228,10 @@ deploy_console_ui = true
 deploy_cirrus = true
 deploy_cirrus_dashboard = true
 deploy_local_stac_server_artifacts = false
+deploy_waf_rule = true
+
+
+#### WAF Rule Settings
+ext_web_acl_id = "" # Specify if bringing an externally managed WAF
+ip_blocklist = []
+whitelist_ips = []

default.tfvars

@@ -26,6 +26,7 @@ stac_server_inputs = {
  app_name = "stac_server"
  version = "v3.8.0"
  deploy_cloudfront = true
+ web_acl_id = ""
  domain_alias = ""
  enable_transactions_extension = false
  collection_to_index_mappings = ""
@@ -42,7 +43,6 @@ stac_server_inputs = {
  cors_methods = ""
  cors_headers = ""
  authorized_s3_arns = []
- web_acl_id = ""
  auth_function = {
  cf_function_name = ""
  cf_function_runtime = "cloudfront-js-2.0"
@@ -96,6 +96,7 @@ analytics_inputs = {
  jupyterhub_elb_acm_cert_arn = ""
  jupyterhub_elb_domain_alias = ""
  create_credentials = true
+ web_acl_id = ""
  auth_function = {
  cf_function_name = ""
  cf_function_runtime = "cloudfront-js-2.0"
@@ -125,6 +126,7 @@ console_ui_inputs = {
  app_name = "console"
  domain_alias = ""
  deploy_cloudfront = true
+ web_acl_id = ""
  version = "v5.3.0"
  filmdrop_ui_config_file = "./profiles/console-ui/default-config/config.dev.json"
  filmdrop_ui_logo_file = "./profiles/console-ui/default-config/logo.png"
@@ -190,6 +192,7 @@ cirrus_dashboard_inputs = {
  app_name = "dashboard"
  domain_alias = ""
  deploy_cloudfront = true
+ web_acl_id = ""
  version = "v0.5.1"
  cirrus_api_endpoint = ""
  metrics_api_endpoint = ""
@@ -229,3 +232,10 @@ deploy_console_ui = true
 deploy_cirrus = true
 deploy_cirrus_dashboard = true
 deploy_local_stac_server_artifacts = false
+deploy_waf_rule = true
+
+
+#### WAF Rule Settings
+ext_web_acl_id = "" # Specify if bringing an externally managed WAF
+ip_blocklist = []
+whitelist_ips = []

filmdrop.tf

@@ -40,4 +40,8 @@ module "filmdrop" {
  deploy_cirrus = var.deploy_cirrus
  deploy_cirrus_dashboard = var.deploy_cirrus_dashboard
  deploy_local_stac_server_artifacts = var.deploy_local_stac_server_artifacts
+ deploy_waf_rule = var.deploy_waf_rule
+ ext_web_acl_id = var.ext_web_acl_id
+ ip_blocklist = var.ip_blocklist
+ whitelist_ips = var.whitelist_ips
 }

inputs.tf

@@ -94,6 +94,7 @@ variable "stac_server_inputs" {
  app_name = string
  version = string
  deploy_cloudfront = bool
+ web_acl_id = string
  domain_alias = string
  enable_transactions_extension = bool
  collection_to_index_mappings = string
@@ -110,7 +111,6 @@ variable "stac_server_inputs" {
  cors_methods = string
  cors_headers = string
  authorized_s3_arns = list(string)
- web_acl_id = string
  auth_function = object({
  cf_function_name = string
  cf_function_runtime = string
@@ -139,6 +139,7 @@ variable "stac_server_inputs" {
  app_name = "stac_server"
  version = "v3.8.0"
  deploy_cloudfront = true
+ web_acl_id = ""
  domain_alias = ""
  enable_transactions_extension = false
  collection_to_index_mappings = ""
@@ -155,7 +156,6 @@ variable "stac_server_inputs" {
  cors_methods = ""
  cors_headers = ""
  authorized_s3_arns = []
- web_acl_id = ""
  auth_function = {
  cf_function_name = ""
  cf_function_runtime = "cloudfront-js-2.0"
@@ -233,6 +233,7 @@ variable "analytics_inputs" {
  type = object({
  app_name = string
  domain_alias = string
+ web_acl_id = string
  jupyterhub_elb_acm_cert_arn = string
  jupyterhub_elb_domain_alias = string
  create_credentials = bool
@@ -261,6 +262,7 @@ variable "analytics_inputs" {
  default = {
  app_name = "analytics"
  domain_alias = ""
+ web_acl_id = ""
  jupyterhub_elb_acm_cert_arn = ""
  jupyterhub_elb_domain_alias = ""
  create_credentials = true
@@ -294,6 +296,7 @@ variable "console_ui_inputs" {
  app_name = string
  domain_alias = string
  deploy_cloudfront = bool
+ web_acl_id = string
  custom_error_response = list(object({
  error_caching_min_ttl = string
  error_code = string
@@ -319,6 +322,7 @@ variable "console_ui_inputs" {
  app_name = "console"
  domain_alias = ""
  deploy_cloudfront = true
+ web_acl_id = ""
  custom_error_response = [
  {
  error_caching_min_ttl = "10"
@@ -422,6 +426,7 @@ variable "cirrus_dashboard_inputs" {
  app_name = string
  domain_alias = string
  deploy_cloudfront = bool
+ web_acl_id = string
  version = string
  cirrus_api_endpoint = string
  metrics_api_endpoint = string
@@ -446,6 +451,7 @@ variable "cirrus_dashboard_inputs" {
  app_name = "dashboard"
  domain_alias = ""
  deploy_cloudfront = true
+ web_acl_id = ""
  version = "v0.5.1"
  cirrus_api_endpoint = ""
  metrics_api_endpoint = ""
@@ -548,3 +554,27 @@ variable "deploy_local_stac_server_artifacts" {
  type = bool
  default = true
 }
+
+variable "deploy_waf_rule" {
+ description = "Deploy FilmDrop WAF rule"
+ type = bool
+ default = true
+}
+
+variable "ip_blocklist" {
+ description = "List of ip cidr ranges to block access to. "
+ type = set(string)
+ default = []
+}
+
+variable "whitelist_ips" {
+ description = "List of ips to filter access for."
+ type = set(string)
+ default = []
+}
+
+variable "ext_web_acl_id" {
+ description = "The id of the external WAF resource to attach to the FilmDrop CloudFront Endpoints."
+ type = string
+ default = ""
+}

modules/cloudfront/apigw_endpoint/api_gateway_endpoint.tf

@@ -29,7 +29,6 @@ module "cloudfront_distribution" {
  default_ttl = var.default_ttl
  max_ttl = var.max_ttl
  custom_error_response = var.custom_error_response
- create_waf_rule = var.web_acl_id == "" ? true : false
  web_acl_id = var.web_acl_id
  project_name = var.project_name
  environment = var.environment

modules/cloudfront/custom_origin/custom_origin.tf

@@ -74,7 +74,7 @@ resource "aws_cloudfront_distribution" "filmdrop_managed_cloudfront_distribution
  enabled = var.enabled
  is_ipv6_enabled = var.ipv6_enabled
  default_root_object = var.default_root
- web_acl_id = var.create_waf_rule == false ? var.web_acl_id : module.cloudfront_waf[0].web_acl_id
+ web_acl_id = var.web_acl_id
 
  logging_config {
  include_cookies = var.log_cookies
@@ -155,16 +155,6 @@ resource "aws_cloudfront_distribution" "filmdrop_managed_cloudfront_distribution
  ]
 }
 
-module "cloudfront_waf" {
- count = var.create_waf_rule == false ? 0 : 1
- source = "../waf"
-
- logging_bucket_name = var.create_log_bucket ? aws_s3_bucket.log_bucket[0].id : var.log_bucket_name
- whitelist_ips = var.whitelist_ips
- ip_blocklist = var.ip_blocklist
- cf_origin_appendix = replace(replace(local.origin_id_prefix, "_", ""), "-", "")
-}
-
 resource "aws_ssm_parameter" "cloudfront_custom_origin" {
  name = "${local.origin_id_prefix}-origin"
  type = "String"

modules/cloudfront/custom_origin/inputs.tf

@@ -142,24 +142,6 @@ variable "price_class" {
  default = "PriceClass_100"
 }
 
-variable "create_waf_rule" {
- description = "Create WAF for cloudfront"
- type = string
- default = true
-}
-
-variable "ip_blocklist" {
- description = "List of ip cidr ranges to block access to. "
- type = set(string)
- default = []
-}
-
-variable "whitelist_ips" {
- description = "List of ips to filter access for."
- type = set(string)
- default = []
-}
-
 variable "cf_function_name" {
  description = "Name of the CF function"
  type = string

modules/cloudfront/lb_endpoint/input.tf

@@ -49,6 +49,11 @@ variable "load_balancer_dns_name" {
  type = string
 }
 
+variable "web_acl_id" {
+ description = "The id of the WAF resource to attach to the CloudFront endpoint."
+ type = string
+ default = ""
+}
 
 variable "min_ttl" {
  description = "Minimum amount of time, in seconds, that you want objects to stay in the CloudFront cache before CloudFront sends another request to the origin to determine whether the object has been updated."

modules/cloudfront/lb_endpoint/load_balancer_endpoint.tf

@@ -29,6 +29,7 @@ module "cloudfront_distribution" {
  default_ttl = var.default_ttl
  max_ttl = var.max_ttl
  custom_error_response = var.custom_error_response
+ web_acl_id = var.web_acl_id
  project_name = var.project_name
  environment = var.environment
  create_log_bucket = var.create_log_bucket

modules/cloudfront/s3_origin/inputs.tf

@@ -94,30 +94,12 @@ variable "create_content_website" {
  default = true
 }
 
-variable "create_waf_rule" {
- description = "Create WAF for cloudfront"
- type = bool
- default = true
-}
-
 variable "price_class" {
  description = "CloudFront Price Class."
  type = string
  default = "PriceClass_100"
 }
 
-variable "ip_blocklist" {
- description = "List of ip cidr ranges to block access to. "
- type = set(string)
- default = []
-}
-
-variable "whitelist_ips" {
- description = "List of ips to filter access for."
- type = set(string)
- default = []
-}
-
 variable "cf_function_name" {
  description = "Name of the CF function"
  type = string

modules/cloudfront/s3_origin/s3_origin.tf

@@ -48,7 +48,7 @@ resource "aws_cloudfront_distribution" "filmdrop_managed_cloudfront_distribution
  enabled = var.enabled
  is_ipv6_enabled = var.ipv6_enabled
  default_root_object = var.default_root
- web_acl_id = var.create_waf_rule == false ? var.web_acl_id : module.cloudfront_waf[0].web_acl_id
+ web_acl_id = var.web_acl_id
 
  logging_config {
  include_cookies = var.log_cookies
@@ -147,17 +147,6 @@ module "content_website" {
  origin_id = local.origin_id_prefix
 }
 
-
-module "cloudfront_waf" {
- count = var.create_waf_rule == false ? 0 : 1
- source = "../waf"
-
- logging_bucket_name = var.create_log_bucket ? aws_s3_bucket.log_bucket[0].id : var.log_bucket_name
- whitelist_ips = var.whitelist_ips
- ip_blocklist = var.ip_blocklist
- cf_origin_appendix = replace(replace(local.origin_id_prefix, "_", ""), "-", "")
-}
-
 module "cloudfront_function" {
  count = var.create_cf_function == true && var.create_cf_basicauth_function == false ? 1 : 0
  source = "../cf_function"

modules/cloudfront/s3_website/input.tf

@@ -20,6 +20,12 @@ variable "min_ttl" {
  default = 0
 }
 
+variable "web_acl_id" {
+ description = "The id of the WAF resource to attach to the CloudFront endpoint."
+ type = string
+ default = ""
+}
+
 variable "default_ttl" {
  description = "Default amount of time, in seconds, that you want objects to stay in CloudFront caches before CloudFront forwards another request to your origin to determine whether the object has been updated"
  type = number