enha: added option to configure WAF web ACL (#1)

kfc-manager · kfc-manager · commit af9b9186a9b8 · 2024-03-24T13:03:44.000+01:00
diff --git a/README.md b/README.md
@@ -27,6 +27,7 @@ This module provides an API Gateway with the option to define routes which invok
 | description | Short text of what the API Gateway is trying to accomplish.                                                                                                  | `string`       | ""      |    no    |
 | domain      | Custom domain pointed to the API Gateway.                                                                                                                    | `string`       | n/a     |   yes    |
 | zone_id     | ID of the public hosted zone for the domain. (When not specified the public hosted zone of the domain will be pulled with a data resource from your account) | `string`       | ""      |    no    |
+| rate_limit  | Rate limit for traffic from the same IP address over a period of 5 minutes.                                                                                  | `number`       | 0       |    no    |
 | routes      | A list of objects for the definition of routes in the API Gateway.                                                                                           | `list(object)` | []      |    no    |
 | log_config  | An object for the definition of a CloudWatch log for the API Gateway.                                                                                        | `object`       | null    |    no    |
 | cors_config | An object for the definition of the CORS configuration for the API Gateway.                                                                                  | `object`       | null    |    no    |
diff --git a/main.tf b/main.tf
@@ -171,3 +171,64 @@ resource "aws_route53_record" "main" {
     evaluate_target_health = false
   }
 }
+
+################################
+# WAF Web ACL                  #
+################################
+
+resource "aws_wafv2_web_acl" "main" {
+  count = var.rate_limit > 0 ? 1 : 0
+  name  = "${var.identifier}-api-gw"
+  scope = "REGIONAL"
+
+  default_action {
+    allow {}
+  }
+
+  custom_response_body {
+    key          = "blocked_request_custom_response"
+    content      = "{\n    \"error\":\"Too Many Requests.\"\n}"
+    content_type = "APPLICATION_JSON"
+  }
+
+  visibility_config {
+    cloudwatch_metrics_enabled = true
+    metric_name                = "${var.identifier}-api-gw"
+    sampled_requests_enabled   = true
+  }
+
+  rule {
+    name     = "RateLimit"
+    priority = 1
+
+    action {
+      block {
+        custom_response {
+          custom_response_body_key = "blocked_request_custom_response"
+          response_code            = 429
+        }
+      }
+    }
+
+    statement {
+      rate_based_statement {
+        aggregate_key_type = "IP"
+        limit              = var.rate_limit
+      }
+    }
+
+    visibility_config {
+      cloudwatch_metrics_enabled = true
+      metric_name                = "${var.identifier}-api-gw-RateLimit"
+      sampled_requests_enabled   = true
+    }
+  }
+
+  tags = var.tags
+}
+
+resource "aws_wafv2_web_acl_association" "main" {
+  count        = var.rate_limit > 0 ? 1 : 0
+  resource_arn = aws_apigatewayv2_stage.main.arn
+  web_acl_arn  = aws_wafv2_web_acl.main[0].arn
+}
diff --git a/tests/waf.tftest.hcl b/tests/waf.tftest.hcl
@@ -0,0 +1,50 @@
+provider "aws" {
+  region = "eu-central-1"
+  default_tags {
+    tags = {
+      Environment = "Test"
+    }
+  }
+}
+
+run "with_web_acl" {
+  command = plan
+
+  variables {
+    identifier = "abc"
+    domain     = "test.com"
+    zone_id    = "test-zone"
+    rate_limit = 100
+  }
+
+  assert {
+    condition     = length(aws_wafv2_web_acl.main) == 1
+    error_message = "Web ACL was not created"
+  }
+
+  assert {
+    condition     = length(aws_wafv2_web_acl_association.main) == 1
+    error_message = "Web ACL association was not created"
+  }
+}
+
+run "without_web_acl" {
+  command = plan
+
+  variables {
+    identifier = "abc"
+    domain     = "test.com"
+    zone_id    = "test-zone"
+    rate_limit = 0
+  }
+
+  assert {
+    condition     = length(aws_wafv2_web_acl.main) == 0
+    error_message = "Web ACL was created unexpectedly"
+  }
+
+  assert {
+    condition     = length(aws_wafv2_web_acl_association.main) == 0
+    error_message = "Web ACL association was created unexpectedly"
+  }
+}
diff --git a/variables.tf b/variables.tf
@@ -24,6 +24,12 @@ variable "zone_id" {
   default     = ""
 }
 
+variable "rate_limit" {
+  description = "Rate limit for traffic from the same IP address over a period of 5 minutes."
+  type        = number
+  default     = 0
+}
+
 variable "log_config" {
   description = "An object for the definition of a CloudWatch log for the API Gateway."
   type = object({
