From 96dbe1f5c51d8415b9747abbff2889c169cc0cd6 Mon Sep 17 00:00:00 2001 From: briskt <3172830+briskt@users.noreply.github.com> Date: Tue, 29 Oct 2024 12:55:14 +0800 Subject: [PATCH 1/2] add a firewall rule to skip Super Bot Fight Mode for packets from NAT --- terraform/010-cluster/README.md | 3 +++ terraform/010-cluster/main.tf | 30 ++++++++++++++++++++++++++++++ terraform/010-cluster/vars.tf | 5 +++++ terraform/010-cluster/versions.tf | 7 +++++++ test/010-cluster.tf | 1 + 5 files changed, 46 insertions(+) diff --git a/terraform/010-cluster/README.md b/terraform/010-cluster/README.md index 6fa6bb9..23716da 100644 --- a/terraform/010-cluster/README.md +++ b/terraform/010-cluster/README.md @@ -10,6 +10,9 @@ ssl certificate, core application load balancer, and a CloudWatch log group - Locate ACM certificate for use in ALB listeners - Create application load balancer (ALB) - Create CloudWatch log group + - Optionally create a Cloudwatch dashboard + - Optionally create a NAT gateway + - Create a Cloudflare rule to allow access to the NAT gateway (if enabled) ## Required Inputs diff --git a/terraform/010-cluster/main.tf b/terraform/010-cluster/main.tf index ce5df0a..295155d 100644 --- a/terraform/010-cluster/main.tf +++ b/terraform/010-cluster/main.tf @@ -136,3 +136,33 @@ module "ecs-service-cloudwatch-dashboard" { } data "aws_region" "current" {} + + +resource "cloudflare_ruleset" "nat" { + count = var.create_nat_gateway ? 1 : 0 + + zone_id = data.cloudflare_zone.this.id + name = "Bypass bot protection" + description = "Skip super bot fight mode to ensure id-broker can access MFA API" + kind = "zone" + phase = "http_request_firewall_custom" + + rules { + action = "skip" + expression = "(ip.src eq ${module.vpc.nat_gateway_ip})" + description = "skip outbound NAT gateway IP address" + enabled = true + action_parameters { + phases = [ + "http_request_sbfm" + ] + } + logging { + enabled = true + } + } +} + +data "cloudflare_zone" "this" { + name = var.cloudflare_domain +} diff --git a/terraform/010-cluster/vars.tf b/terraform/010-cluster/vars.tf index 0c0f34c..8ce253e 100644 --- a/terraform/010-cluster/vars.tf +++ b/terraform/010-cluster/vars.tf @@ -21,6 +21,11 @@ variable "cert_domain_name" { type = string } +variable "cloudflare_domain" { + description = "The base domain name to be used for Cloudflare resources, e.g. example.net" + type = string +} + variable "create_dashboard" { description = "Set to false to remove the Cloudwatch Dashboard" type = bool diff --git a/terraform/010-cluster/versions.tf b/terraform/010-cluster/versions.tf index f6615c5..b5d9dd9 100644 --- a/terraform/010-cluster/versions.tf +++ b/terraform/010-cluster/versions.tf @@ -6,5 +6,12 @@ terraform { source = "hashicorp/aws" version = ">= 4.0.0, < 6.0.0" } + cloudflare = { + source = "cloudflare/cloudflare" + + // 4.39.0 deprecated cloudflare_record.value + // While waiting for version 5 to mature, we'll constrain to earlier versions. + version = ">= 2.0.0, < 4.39.0" + } } } diff --git a/test/010-cluster.tf b/test/010-cluster.tf index 3630c03..c77aa42 100644 --- a/test/010-cluster.tf +++ b/test/010-cluster.tf @@ -6,6 +6,7 @@ module "cluster" { aws_instance = { a = "b" } aws_zones = [""] cert_domain_name = "" + cloudflare_domain = "" create_nat_gateway = true ecs_cluster_name = "" ecs_instance_profile_id = "" From b16b15b07526a34c88bb2c946f7d9bfdf77a20dc Mon Sep 17 00:00:00 2001 From: briskt <3172830+briskt@users.noreply.github.com> Date: Tue, 29 Oct 2024 12:56:41 +0800 Subject: [PATCH 2/2] make cloudflare_domain optional --- terraform/010-cluster/vars.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/010-cluster/vars.tf b/terraform/010-cluster/vars.tf index 8ce253e..14b1a62 100644 --- a/terraform/010-cluster/vars.tf +++ b/terraform/010-cluster/vars.tf @@ -24,6 +24,7 @@ variable "cert_domain_name" { variable "cloudflare_domain" { description = "The base domain name to be used for Cloudflare resources, e.g. example.net" type = string + default = "" } variable "create_dashboard" {