Sort out WAF baseline on public LBs #1588
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ChrisBAshton
approved these changes
May 12, 2022
We want to add some other WAFs to this configuration, so start by updating the existing one to the latest version. This rule is used by Smokey to verify that a WAF is applied. My approach will be to build more comprehensive WAFs for each public end point, and include this rule in each of the new web ACLs. This will allow us to continue to check that WAFs are applied. The classic WAF's name had become a bit misleading after a bit, because although it's called `CachePublicWebACL` it's now also applied to a bunch of other things that are nothing to do with the cache LB. You have to assign a capacity to `aws_wafv2_rule_group`s which is calculated by adding up all the elements you use from [the rules statement list](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statements-list.html). It's not super easy to figure out, but it allows users of your rule group to ensure that their [rules come in under the maximum capacity](https://docs.aws.amazon.com/waf/latest/developerguide/how-aws-waf-works.html#aws-waf-capacity-units). It's possible to modify rule groups, however the capacity is immutable because consumers rely on it to be able to remain within limits. I've therefore set the capacity at a bit more than it's using, so we can have some flexibility. We're going to reuse the existing log stream, as it seems fit for purpose. There's a [lambda that filters out logs](https://github.com/alphagov/govuk-aws/blob/main/terraform/lambda/WAFLogTrimmer/lambda.js) that are generated by the `Default_Action` (as these are requests that don't match any rule and will not be interesting). This field is still good for [current WAF logs](https://docs.aws.amazon.com/waf/latest/developerguide/logging-fields.html), so we'll continue to use this method. I've only moved the public cache LB over to the new web ACL for now, but will do the others soon.
In the previous commit we built a copy of the existing WAF using the newer option in AWS - WAFv2. In this commit, we migrate the remaining load balancers from the old version to the new version and delete the old configuration. The next step will be to build separate rule groups for the differing needs of each load balancer and apply them individually. It's easier to do this once we've moved everything over to the new version. There is still a [Smokey check to check that a firewall](https://github.com/alphagov/smokey/blob/main/features/waf.feature) using this rule exists and this still passes.
Many of these have other ACLs applied in front of them, however it's useful to start by applying basic configuration, as it's then easier to iterate.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR has three sections:
This is a stepping stone to make it easier to configure specific WAF configurations to each LB that needs it. The next step is to configure separate WebACLs for each LB that needs different configuration.
There is further context in each commit.
https://trello.com/c/IvZrVCL3/2869-setting-rate-limits-within-aws-waf