Merge pull request #266 from silinternational/waf-rule

add a firewall rule to skip Bot Fight Mode
silinternational · Oct 30, 2024 · 3da766b · 3da766b
2 parents 8c5d9c8 + b16b15b
commit 3da766b
Show file tree

Hide file tree

Showing 5 changed files with 47 additions and 0 deletions.
diff --git a/terraform/010-cluster/README.md b/terraform/010-cluster/README.md
@@ -10,6 +10,9 @@ ssl certificate, core application load balancer, and a CloudWatch log group
  - Locate ACM certificate for use in ALB listeners
  - Create application load balancer (ALB)
  - Create CloudWatch log group
+ - Optionally create a Cloudwatch dashboard
+ - Optionally create a NAT gateway
+ - Create a Cloudflare rule to allow access to the NAT gateway (if enabled)
 
 ## Required Inputs
 

diff --git a/terraform/010-cluster/main.tf b/terraform/010-cluster/main.tf
@@ -136,3 +136,33 @@ module "ecs-service-cloudwatch-dashboard" {
 }
 
 data "aws_region" "current" {}
+
+
+resource "cloudflare_ruleset" "nat" {
+  count = var.create_nat_gateway ? 1 : 0
+
+  zone_id     = data.cloudflare_zone.this.id
+  name        = "Bypass bot protection"
+  description = "Skip super bot fight mode to ensure id-broker can access MFA API"
+  kind        = "zone"
+  phase       = "http_request_firewall_custom"
+
+  rules {
+    action      = "skip"
+    expression  = "(ip.src eq ${module.vpc.nat_gateway_ip})"
+    description = "skip outbound NAT gateway IP address"
+    enabled     = true
+    action_parameters {
+      phases = [
+        "http_request_sbfm"
+      ]
+    }
+    logging {
+      enabled = true
+    }
+  }
+}
+
+data "cloudflare_zone" "this" {
+  name = var.cloudflare_domain
+}
diff --git a/terraform/010-cluster/vars.tf b/terraform/010-cluster/vars.tf
@@ -21,6 +21,12 @@ variable "cert_domain_name" {
   type = string
 }
 
+variable "cloudflare_domain" {
+  description = "The base domain name to be used for Cloudflare resources, e.g. example.net"
+  type        = string
+  default     = ""
+}
+
 variable "create_dashboard" {
   description = "Set to false to remove the Cloudwatch Dashboard"
   type        = bool

diff --git a/terraform/010-cluster/versions.tf b/terraform/010-cluster/versions.tf
@@ -6,5 +6,12 @@ terraform {
       source  = "hashicorp/aws"
       version = ">= 4.0.0, < 6.0.0"
     }
+    cloudflare = {
+      source = "cloudflare/cloudflare"
+
+      // 4.39.0 deprecated cloudflare_record.value
+      // While waiting for version 5 to mature, we'll constrain to earlier versions.
+      version = ">= 2.0.0, < 4.39.0"
+    }
   }
 }
diff --git a/test/010-cluster.tf b/test/010-cluster.tf
@@ -6,6 +6,7 @@ module "cluster" {
   aws_instance             = { a = "b" }
   aws_zones                = [""]
   cert_domain_name         = ""
+  cloudflare_domain        = ""
   create_nat_gateway       = true
   ecs_cluster_name         = ""
   ecs_instance_profile_id  = ""