DP-1002 Assotiate WAF and ALB

  - Disable rules were preventing login

terragrunt/components/core/networking/terragrunt.hcl

@@ -6,6 +6,14 @@ include {
   path = find_in_parent_folders()
 }
 
+dependency core_iam {
+  config_path = "../../core/iam"
+  mock_outputs = {
+    terraform_arn                       = "mock"
+    terraform_name                      = "mock"
+  }
+}
+
 locals {
   global_vars = read_terragrunt_config(find_in_parent_folders("terragrunt.hcl"))
   core_vars = read_terragrunt_config(find_in_parent_folders("core.hcl"))

terragrunt/components/service/ecs/terragrunt.hcl

@@ -46,6 +46,7 @@ dependency core_networking {
     public_subnet_ids           = "mock"
     public_subnets_cidr_blocks  = "mock"
     vpc_id                      = "mock"
+    waf_acl_arn                 = "mock"
   }
 }
 
@@ -142,6 +143,7 @@ inputs = {
   public_subnets_cidr_blocks  = dependency.core_networking.outputs.public_subnets_cidr_blocks
   vpc_id                      = dependency.core_networking.outputs.vpc_id
   vpc_cider                   = dependency.core_networking.outputs.vpc_cider
+  waf_acl_arn                 = dependency.core_networking.outputs.waf_acl_arn
 
 
   alb_sg_id                 = dependency.core_security_groups.outputs.alb_sg_id

terragrunt/modules/core-iam/terraform-global-datasource.tf

@@ -338,11 +338,13 @@ data "aws_iam_policy_document" "terraform_global" {
   statement {
     actions = [
       "wafv2:CreateWebACL",
-      "wafv2:UpdateWebACL"
+      "wafv2:GetWebACLForResource",
+      "wafv2:UpdateWebACL",
     ]
     effect = "Allow"
     resources = [
       "arn:aws:wafv2:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:regional/managedruleset/*/*",
+      "arn:aws:wafv2:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:regional/webacl/*/*",
     ]
     sid = "ManageWAF"
   }

terragrunt/modules/core-iam/terraform-product-datasource.tf

@@ -185,6 +185,7 @@ data "aws_iam_policy_document" "terraform_product" {
       "elasticloadbalancing:Describe*",
       "elasticloadbalancing:Modify*",
       "elasticloadbalancing:SetRulePriorities",
+      "elasticloadbalancing:SetWebACL",
     ]
     effect = "Allow"
     resources = [
@@ -228,10 +229,11 @@ data "aws_iam_policy_document" "terraform_product" {
 
   statement {
     actions = [
+      "wafv2:AssociateWebACL",
       "wafv2:CreateWebACL",
-      "wafv2:TagResource",
       "wafv2:GetWebACL",
       "wafv2:ListTagsForResource",
+      "wafv2:TagResource",
       "wafv2:UpdateWebACL",
     ]
     effect = "Allow"

terragrunt/modules/core-networking/locals.tf

@@ -8,8 +8,8 @@ locals {
   waf_rule_sets_priority = {
     AWSManagedRulesAmazonIpReputationList : 2
     AWSManagedRulesAnonymousIpList : 3
-    AWSManagedRulesBotControlRuleSet : 5
-    AWSManagedRulesCommonRuleSet : 1
+    # AWSManagedRulesBotControlRuleSet : 5
+    # AWSManagedRulesCommonRuleSet : 1
     AWSManagedRulesSQLiRuleSet : 4
   }
 }

terragrunt/modules/core-networking/outputs.tf

@@ -61,3 +61,7 @@ output "vpc_id" {
   description = "ID of the VPC"
   value       = aws_vpc.this.id
 }
+
+output "waf_acl_arn" {
+  value = try(aws_wafv2_web_acl.this[0].arn, null)
+}

terragrunt/modules/ecs/load-balancer.tf

@@ -16,6 +16,13 @@ resource "aws_lb" "ecs" {
   )
 }
 
+resource "aws_wafv2_web_acl_association" "ecs" {
+  count = local.waf_enabled ? 1 : 0
+
+  resource_arn = aws_lb.ecs.arn
+  web_acl_arn  = var.waf_acl_arn
+}
+
 resource "aws_lb_listener" "ecs" {
 
   certificate_arn   = aws_acm_certificate.this.arn

terragrunt/modules/ecs/locals.tf

@@ -45,4 +45,6 @@ locals {
     config.name
   ]
 
+  waf_enabled = contains(["development"], var.environment)
+
 }

terragrunt/modules/ecs/variables.tf

@@ -257,3 +257,8 @@ variable "vpce_secretsmanager_sg_id" {
   description = "Security group ID of the Secrets Manager VPC endpoint"
   type        = string
 }
+
+variable "waf_acl_arn" {
+  description = "WAF ACL ARN to be associated with the ALB"
+  type        = string
+}