[NDR-144] Remove BotControl from firewall associated with API (#345)

SWhyteAnswer · web-flow · commit 3e3af7ca85df · 2025-07-16T14:58:28.000+01:00
* [NDR-144] adding api var and logic to exclude botcontrol

* [NDR-144] quick fix

* [NDR-144] deponds on

* [NDR-144] changing name if api

* [NDR-144] temp remove sandbox restriction

* [NDR-144] regex patter name change

* [NDR-144] remove sandbox block

* [NDR-144] removing index while count is removed

* [NDR-144] and again

* [NDR - 144] re-adding sandbox count

* [NDR-144] variable description

---------

Co-authored-by: Sam Whyte &lt;sam.whyte@answerdigital.com&gt;
diff --git a/infrastructure/firewall.tf b/infrastructure/firewall.tf
@@ -6,6 +6,15 @@ module "firewall_waf_v2" {
   count          = local.is_sandbox ? 0 : 1
 }
 
+module "firewall_waf_v2_api" {
+  source         = "./modules/firewall_waf_v2"
+  cloudfront_acl = false
+  environment    = var.environment
+  owner          = var.owner
+  count          = local.is_sandbox ? 0 : 1
+  api            = true
+}
+
 resource "aws_wafv2_web_acl_association" "web_acl_association" {
   resource_arn = module.ndr-ecs-fargate-app.load_balancer_arn
   web_acl_arn  = module.firewall_waf_v2[0].arn
@@ -18,10 +27,10 @@ resource "aws_wafv2_web_acl_association" "web_acl_association" {
 
 resource "aws_wafv2_web_acl_association" "api_gateway" {
   resource_arn = aws_api_gateway_stage.ndr_api.arn
-  web_acl_arn  = module.firewall_waf_v2[0].arn
+  web_acl_arn  = module.firewall_waf_v2_api[0].arn
   count        = local.is_sandbox ? 0 : 1
   depends_on = [
     aws_api_gateway_stage.ndr_api,
-    module.firewall_waf_v2[0]
+    module.firewall_waf_v2_api[0]
   ]
 }
diff --git a/infrastructure/modules/firewall_waf_v2/local.tf b/infrastructure/modules/firewall_waf_v2/local.tf
@@ -2,7 +2,7 @@ locals {
 
   image_regex = "^\\/images(\\/\\w+)+\\/$"
 
-  waf_rules = [
+  waf_rules_raw = [
     {
       name                    = "AWSCoreRuleSet"
       managed_rule_name       = "AWSManagedRulesCommonRuleSet"
@@ -47,8 +47,14 @@ locals {
     }
   ]
 
+  # Filter out AWSBotControl if var.api is true
+  waf_rules = [
+    for rule in local.waf_rules_raw : rule
+    if !(var.api && rule.name == "AWSBotControl")
+  ]
+
   waf_rules_map = zipmap(
     range(0, length(local.waf_rules)),
     local.waf_rules
   )
-}
+}
diff --git a/infrastructure/modules/firewall_waf_v2/main.tf b/infrastructure/modules/firewall_waf_v2/main.tf
@@ -1,5 +1,5 @@
 resource "aws_wafv2_web_acl" "waf_v2_acl" {
-  name        = "${terraform.workspace}-${var.cloudfront_acl ? "cloudfront" : ""}-fw-waf-v2"
+  name        = "${terraform.workspace}${var.api ? "-api" : var.cloudfront_acl ? "-cloudfront" : ""}-fw-waf-v2"
   description = "A WAF to secure the Repo application."
   scope       = var.cloudfront_acl ? "CLOUDFRONT" : "REGIONAL"
 
diff --git a/infrastructure/modules/firewall_waf_v2/regex.tf b/infrastructure/modules/firewall_waf_v2/regex.tf
@@ -1,5 +1,5 @@
 resource "aws_wafv2_regex_pattern_set" "large_body_uri" {
-  name        = "${terraform.workspace}-fw-waf-body-size"
+  name        = "${terraform.workspace}-fw-waf-body-size${var.api ? "-api" : ""}"
   description = "A set of regex to allow specific pages to bypass the large body check"
   scope       = var.cloudfront_acl ? "CLOUDFRONT" : "REGIONAL"
 
@@ -22,7 +22,7 @@ resource "aws_wafv2_regex_pattern_set" "large_body_uri" {
 }
 
 resource "aws_wafv2_regex_pattern_set" "xss_body_uri" {
-  name        = "${terraform.workspace}-fw-waf-body-xss"
+  name        = "${terraform.workspace}-fw-waf-body-xss${var.api ? "-api" : ""}"
   description = "A regex to allow specific pages to bypass XSS checks on body"
   scope       = var.cloudfront_acl ? "CLOUDFRONT" : "REGIONAL"
 
@@ -40,7 +40,7 @@ resource "aws_wafv2_regex_pattern_set" "xss_body_uri" {
 }
 
 resource "aws_wafv2_regex_pattern_set" "exclude_cms_uri" {
-  name        = "${terraform.workspace}-fw-waf-cms-exclude"
+  name        = "${terraform.workspace}-fw-waf-cms-exclude${var.api ? "-api" : ""}"
   description = "A regex to allow CMS calls to bypass firewalls"
   scope       = var.cloudfront_acl ? "CLOUDFRONT" : "REGIONAL"
 
@@ -55,4 +55,4 @@ resource "aws_wafv2_regex_pattern_set" "exclude_cms_uri" {
     Environment = var.environment
     Workspace   = terraform.workspace
   }
-}
+}
diff --git a/infrastructure/modules/firewall_waf_v2/variables.tf b/infrastructure/modules/firewall_waf_v2/variables.tf
@@ -10,3 +10,9 @@ variable "cloudfront_acl" {
   type = bool
 }
 
+variable "api" {
+  type        = bool
+  description = "True if using the firewall for an api - removes AWSBotControl"
+  default     = false
+}
+

Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,7 @@ locals {`
`2`	`2`
`3`	`3`	`image_regex = "^\\/images(\\/\\w+)+\\/$"`
`4`	`4`
`5`		`- waf_rules = [`
	`5`	`+ waf_rules_raw = [`
`6`	`6`	`{`
`7`	`7`	`name = "AWSCoreRuleSet"`
`8`	`8`	`managed_rule_name = "AWSManagedRulesCommonRuleSet"`
`@@ -47,8 +47,14 @@ locals {`
`47`	`47`	`}`
`48`	`48`	`]`
`49`	`49`
	`50`	`+ # Filter out AWSBotControl if var.api is true`
	`51`	`+ waf_rules = [`
	`52`	`+ for rule in local.waf_rules_raw : rule`
	`53`	`+ if !(var.api && rule.name == "AWSBotControl")`
	`54`	`+ ]`
	`55`	`+`
`50`	`56`	`waf_rules_map = zipmap(`
`51`	`57`	`range(0, length(local.waf_rules)),`
`52`	`58`	`local.waf_rules`
`53`	`59`	`)`
`54`		`-}`
	`60`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -10,3 +10,9 @@ variable "cloudfront_acl" {`
`10`	`10`	`type = bool`
`11`	`11`	`}`
`12`	`12`
	`13`	`+variable "api" {`
	`14`	`+ type = bool`
	`15`	`+ description = "True if using the firewall for an api - removes AWSBotControl"`
	`16`	`+ default = false`
	`17`	`+}`
	`18`	`+`