[NDR-13] WAF ACL for CloudFront resources (#289)

robg-nhs · robg-test · web-flow · commit 3007caf0c63c · 2025-04-29T14:21:52.000+01:00
* [NDR-13] CloudFront Firewall Implementation

* [NDR-13] Docs and Formatting

* Updated name of resource from cloudwatch to cloudfront

* Default web_acl_id to ""

---------

Co-authored-by: robg-nhs &lt;rob.gaskin1@nhs.net&gt;
diff --git a/infrastructure/README.md b/infrastructure/README.md
@@ -8,7 +8,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.86.1 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.95.0 |
 
 ## Modules
 
@@ -39,8 +39,9 @@
 | <a name="module_bulk-upload-report-alarm-topic"></a> [bulk-upload-report-alarm-topic](#module\_bulk-upload-report-alarm-topic) | ./modules/sns | n/a |
 | <a name="module_bulk-upload-report-lambda"></a> [bulk-upload-report-lambda](#module\_bulk-upload-report-lambda) | ./modules/lambda | n/a |
 | <a name="module_bulk_upload_report_dynamodb_table"></a> [bulk\_upload\_report\_dynamodb\_table](#module\_bulk\_upload\_report\_dynamodb\_table) | ./modules/dynamo_db | n/a |
-| <a name="module_cloudfront-distribution-lg"></a> [cloudfront-distribution-lg](#module\_cloudfront-distribution-lg) | ./modules/cloudfront/ | n/a |
+| <a name="module_cloudfront-distribution-lg"></a> [cloudfront-distribution-lg](#module\_cloudfront-distribution-lg) | ./modules/cloudfront | n/a |
 | <a name="module_cloudfront_edge_dynamodb_table"></a> [cloudfront\_edge\_dynamodb\_table](#module\_cloudfront\_edge\_dynamodb\_table) | ./modules/dynamo_db | n/a |
+| <a name="module_cloudfront_firewall_waf_v2"></a> [cloudfront\_firewall\_waf\_v2](#module\_cloudfront\_firewall\_waf\_v2) | ./modules/firewall_waf_v2 | n/a |
 | <a name="module_create-doc-ref-gateway"></a> [create-doc-ref-gateway](#module\_create-doc-ref-gateway) | ./modules/gateway | n/a |
 | <a name="module_create-doc-ref-lambda"></a> [create-doc-ref-lambda](#module\_create-doc-ref-lambda) | ./modules/lambda | n/a |
 | <a name="module_create-token-gateway"></a> [create-token-gateway](#module\_create-token-gateway) | ./modules/gateway | n/a |
diff --git a/infrastructure/cloudfront.tf b/infrastructure/cloudfront.tf
@@ -1,7 +1,18 @@
+module "cloudfront_firewall_waf_v2" {
+  source         = "./modules/firewall_waf_v2"
+  cloudfront_acl = true
+
+  environment = var.environment
+  owner       = var.owner
+  count       = local.is_sandbox ? 0 : 1
+  providers   = { aws = aws.us_east_1 }
+}
+
 module "cloudfront-distribution-lg" {
-  source             = "./modules/cloudfront/"
+  source             = "./modules/cloudfront"
   bucket_domain_name = "${terraform.workspace}-${var.lloyd_george_bucket_name}.s3.eu-west-2.amazonaws.com"
   bucket_id          = module.ndr-lloyd-george-store.bucket_id
   qualifed_arn       = module.edge-presign-lambda.qualified_arn
   depends_on         = [module.edge-presign-lambda.qualified_arn, module.ndr-lloyd-george-store.bucket_id, module.ndr-lloyd-george-store.bucket_domain_name]
-}
+  web_acl_id         = try(module.cloudfront_firewall_waf_v2[0].arn, "")
+}
diff --git a/infrastructure/firewall.tf b/infrastructure/firewall.tf
@@ -1,8 +1,9 @@
 module "firewall_waf_v2" {
-  source      = "./modules/firewall_waf_v2"
-  environment = var.environment
-  owner       = var.owner
-  count       = local.is_sandbox ? 0 : 1
+  source         = "./modules/firewall_waf_v2"
+  cloudfront_acl = false
+  environment    = var.environment
+  owner          = var.owner
+  count          = local.is_sandbox ? 0 : 1
 }
 
 resource "aws_wafv2_web_acl_association" "web_acl_association" {
@@ -13,4 +14,5 @@ resource "aws_wafv2_web_acl_association" "web_acl_association" {
     module.ndr-ecs-fargate-app,
     module.firewall_waf_v2[0]
   ]
-}
+}
+
diff --git a/infrastructure/modules/app_config/README.md b/infrastructure/modules/app_config/README.md
@@ -6,7 +6,7 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.96.0 |
 
 ## Modules
 
diff --git a/infrastructure/modules/cloudfront/README.md b/infrastructure/modules/cloudfront/README.md
@@ -6,7 +6,7 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.95.0 |
 
 ## Modules
 
@@ -28,6 +28,7 @@ No modules.
 | <a name="input_bucket_domain_name"></a> [bucket\_domain\_name](#input\_bucket\_domain\_name) | Domain name to assign CloudFront distribution to | `string` | n/a | yes |
 | <a name="input_bucket_id"></a> [bucket\_id](#input\_bucket\_id) | Bucket ID to assign CloudFront distribution to | `string` | n/a | yes |
 | <a name="input_qualifed_arn"></a> [qualifed\_arn](#input\_qualifed\_arn) | Lambda@Edge function association | `string` | n/a | yes |
+| <a name="input_web_acl_id"></a> [web\_acl\_id](#input\_web\_acl\_id) | Web ACL to associate this Cloudfront distribution with | `string` | n/a | yes |
 
 ## Outputs
 
diff --git a/infrastructure/modules/cloudfront/main.tf b/infrastructure/modules/cloudfront/main.tf
@@ -36,6 +36,7 @@ resource "aws_cloudfront_distribution" "distribution" {
       locations        = ["GB"]
     }
   }
+  web_acl_id = var.web_acl_id
 }
 
 resource "aws_cloudfront_origin_request_policy" "viewer_policy" {
@@ -90,4 +91,5 @@ resource "aws_cloudfront_cache_policy" "nocache" {
       query_string_behavior = "none"
     }
   }
-}
+}
+
diff --git a/infrastructure/modules/cloudfront/variable.tf b/infrastructure/modules/cloudfront/variable.tf
@@ -11,4 +11,11 @@ variable "bucket_id" {
 variable "qualifed_arn" {
   type        = string
   description = "Lambda@Edge function association"
-}
+}
+
+variable "web_acl_id" {
+  type        = string
+  description = "Web ACL to associate this Cloudfront distribution with"
+  default     = ""
+}
+
diff --git a/infrastructure/modules/firewall_waf_v2/README.md b/infrastructure/modules/firewall_waf_v2/README.md
@@ -6,7 +6,7 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.95.0 |
 
 ## Modules
 
@@ -25,6 +25,7 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_cloudfront_acl"></a> [cloudfront\_acl](#input\_cloudfront\_acl) | n/a | `bool` | n/a | yes |
 | <a name="input_environment"></a> [environment](#input\_environment) | n/a | `string` | n/a | yes |
 | <a name="input_owner"></a> [owner](#input\_owner) | n/a | `string` | n/a | yes |
 
diff --git a/infrastructure/modules/firewall_waf_v2/main.tf b/infrastructure/modules/firewall_waf_v2/main.tf
@@ -1,7 +1,7 @@
 resource "aws_wafv2_web_acl" "waf_v2_acl" {
-  name        = "${terraform.workspace}-fw-waf-v2"
+  name        = "${terraform.workspace}-${var.cloudfront_acl ? "cloudfront" : ""}-fw-waf-v2"
   description = "A WAF to secure the Repo application."
-  scope       = "REGIONAL"
+  scope       = var.cloudfront_acl ? "CLOUDFRONT" : "REGIONAL"
 
   default_action {
     allow {}
@@ -50,6 +50,9 @@ resource "aws_wafv2_web_acl" "waf_v2_acl" {
             for_each = rule.value["excluded_rules"]
             content {
               name = excluded_rule.value
+              action_to_use {
+                allow {}
+              }
             }
           }
 
@@ -97,4 +100,5 @@ resource "aws_wafv2_web_acl" "waf_v2_acl" {
     Environment = var.environment
     Workspace   = terraform.workspace
   }
-}
+}
+
diff --git a/infrastructure/modules/firewall_waf_v2/regex.tf b/infrastructure/modules/firewall_waf_v2/regex.tf
@@ -1,7 +1,7 @@
 resource "aws_wafv2_regex_pattern_set" "large_body_uri" {
   name        = "${terraform.workspace}-fw-waf-body-size"
   description = "A set of regex to allow specific pages to bypass the large body check"
-  scope       = "REGIONAL"
+  scope       = var.cloudfront_acl ? "CLOUDFRONT" : "REGIONAL"
 
   # Allow pages involving images
   regular_expression {
@@ -24,7 +24,7 @@ resource "aws_wafv2_regex_pattern_set" "large_body_uri" {
 resource "aws_wafv2_regex_pattern_set" "xss_body_uri" {
   name        = "${terraform.workspace}-fw-waf-body-xss"
   description = "A regex to allow specific pages to bypass XSS checks on body"
-  scope       = "REGIONAL"
+  scope       = var.cloudfront_acl ? "CLOUDFRONT" : "REGIONAL"
 
   # Allow pages involving images
   regular_expression {
@@ -42,7 +42,7 @@ resource "aws_wafv2_regex_pattern_set" "xss_body_uri" {
 resource "aws_wafv2_regex_pattern_set" "exclude_cms_uri" {
   name        = "${terraform.workspace}-fw-waf-cms-exclude"
   description = "A regex to allow CMS calls to bypass firewalls"
-  scope       = "REGIONAL"
+  scope       = var.cloudfront_acl ? "CLOUDFRONT" : "REGIONAL"
 
   # Allow pages involving images
   regular_expression {
diff --git a/infrastructure/modules/firewall_waf_v2/variables.tf b/infrastructure/modules/firewall_waf_v2/variables.tf
@@ -4,4 +4,9 @@ variable "environment" {
 
 variable "owner" {
   type = string
-}
+}
+
+variable "cloudfront_acl" {
+  type = bool
+}
+

Original file line number	Diff line number	Diff line change
`@@ -36,6 +36,7 @@ resource "aws_cloudfront_distribution" "distribution" {`
`36`	`36`	`locations = ["GB"]`
`37`	`37`	`}`
`38`	`38`	`}`
	`39`	`+ web_acl_id = var.web_acl_id`
`39`	`40`	`}`
`40`	`41`
`41`	`42`	`resource "aws_cloudfront_origin_request_policy" "viewer_policy" {`
`@@ -90,4 +91,5 @@ resource "aws_cloudfront_cache_policy" "nocache" {`
`90`	`91`	`query_string_behavior = "none"`
`91`	`92`	`}`
`92`	`93`	`}`
`93`		`-}`
	`94`	`+}`
	`95`	`+`