[NDR-13] Add access logging to load balancer logs (#279)

robg-test · robg-test · commit 98998b58de53 · 2025-04-28T11:33:23.000+01:00
diff --git a/infrastructure/cloudfront.tf b/infrastructure/cloudfront.tf
@@ -1,7 +1,18 @@
+module "cloudfront_firewall_waf_v2" {
+  source = "./modules/firewall_waf_v2"
+  cloudfront_acl = true
+
+  environment = var.environment
+  owner       = var.owner
+  count       = local.is_sandbox ? 0 : 1
+  providers   = {aws = aws.us_east_1}
+}
+
 module "cloudfront-distribution-lg" {
-  source             = "./modules/cloudfront/"
+  source             = "./modules/cloudfront"
   bucket_domain_name = "${terraform.workspace}-${var.lloyd_george_bucket_name}.s3.eu-west-2.amazonaws.com"
   bucket_id          = module.ndr-lloyd-george-store.bucket_id
   qualifed_arn       = module.edge-presign-lambda.qualified_arn
   depends_on         = [module.edge-presign-lambda.qualified_arn, module.ndr-lloyd-george-store.bucket_id, module.ndr-lloyd-george-store.bucket_domain_name]
-}
+  web_acl_id         = try(module.cloudfront_firewall_waf_v2[0].arn, "")
+}
diff --git a/infrastructure/firewall.tf b/infrastructure/firewall.tf
@@ -1,12 +1,10 @@
 module "firewall_waf_v2" {
   source = "./modules/firewall_waf_v2"
+  cloudfront_acl = false
 
   environment = var.environment
   owner       = var.owner
-  count = (terraform.workspace == "ndra" ||
-    terraform.workspace == "ndrb" ||
-    terraform.workspace == "ndrc" ||
-  terraform.workspace == "ndrd") ? 0 : 1
+  count       = local.is_sandbox ? 0 : 1
 }
 
 resource "aws_wafv2_web_acl_association" "web_acl_association" {
@@ -21,4 +19,5 @@ resource "aws_wafv2_web_acl_association" "web_acl_association" {
     module.ndr-ecs-fargate-app,
     module.firewall_waf_v2[0]
   ]
-}
+}
+
diff --git a/infrastructure/modules/cloudfront/main.tf b/infrastructure/modules/cloudfront/main.tf
@@ -36,6 +36,7 @@ resource "aws_cloudfront_distribution" "distribution" {
       locations        = ["GB"]
     }
   }
+  web_acl_id = var.web_acl_id
 }
 
 resource "aws_cloudfront_origin_request_policy" "viewer_policy" {
@@ -90,4 +91,5 @@ resource "aws_cloudfront_cache_policy" "nocache" {
       query_string_behavior = "none"
     }
   }
-}
+}
+
diff --git a/infrastructure/modules/cloudfront/variable.tf b/infrastructure/modules/cloudfront/variable.tf
@@ -11,4 +11,10 @@ variable "bucket_id" {
 variable "qualifed_arn" {
   type        = string
   description = "Lambda@Edge function association"
-}
+}
+
+variable "web_acl_id" {
+  type        = string
+  description = "Web ACL to associate this Cloudfront distribution with"
+}
+
diff --git a/infrastructure/modules/firewall_waf_v2/main.tf b/infrastructure/modules/firewall_waf_v2/main.tf
@@ -1,7 +1,7 @@
 resource "aws_wafv2_web_acl" "waf_v2_acl" {
-  name        = "${terraform.workspace}-fw-waf-v2"
+  name = "${terraform.workspace}-${var.cloudfront_acl ? "cloudwatch" : ""}-fw-waf-v2"
   description = "A WAF to secure the Repo application."
-  scope       = "REGIONAL"
+  scope       = var.cloudfront_acl ? "CLOUDFRONT" : "REGIONAL"
 
   default_action {
     allow {}
@@ -50,6 +50,9 @@ resource "aws_wafv2_web_acl" "waf_v2_acl" {
             for_each = rule.value["excluded_rules"]
             content {
               name = excluded_rule.value
+              action_to_use {
+                allow {}
+              }
             }
           }
 
@@ -97,4 +100,5 @@ resource "aws_wafv2_web_acl" "waf_v2_acl" {
     Environment = var.environment
     Workspace   = terraform.workspace
   }
-}
+}
+
diff --git a/infrastructure/modules/firewall_waf_v2/regex.tf b/infrastructure/modules/firewall_waf_v2/regex.tf
@@ -1,7 +1,7 @@
 resource "aws_wafv2_regex_pattern_set" "large_body_uri" {
   name        = "${terraform.workspace}-fw-waf-body-size"
   description = "A set of regex to allow specific pages to bypass the large body check"
-  scope       = "REGIONAL"
+  scope       = var.cloudfront_acl ? "CLOUDFRONT" : "REGIONAL"
 
   # Allow pages involving images
   regular_expression {
@@ -24,7 +24,7 @@ resource "aws_wafv2_regex_pattern_set" "large_body_uri" {
 resource "aws_wafv2_regex_pattern_set" "xss_body_uri" {
   name        = "${terraform.workspace}-fw-waf-body-xss"
   description = "A regex to allow specific pages to bypass XSS checks on body"
-  scope       = "REGIONAL"
+  scope       = var.cloudfront_acl ? "CLOUDFRONT" : "REGIONAL"
 
   # Allow pages involving images
   regular_expression {
@@ -42,7 +42,7 @@ resource "aws_wafv2_regex_pattern_set" "xss_body_uri" {
 resource "aws_wafv2_regex_pattern_set" "exclude_cms_uri" {
   name        = "${terraform.workspace}-fw-waf-cms-exclude"
   description = "A regex to allow CMS calls to bypass firewalls"
-  scope       = "REGIONAL"
+  scope       = var.cloudfront_acl ? "CLOUDFRONT" : "REGIONAL"
 
   # Allow pages involving images
   regular_expression {
diff --git a/infrastructure/modules/firewall_waf_v2/variables.tf b/infrastructure/modules/firewall_waf_v2/variables.tf
@@ -4,4 +4,9 @@ variable "environment" {
 
 variable "owner" {
   type = string
-}
+}
+
+variable "cloudfront_acl" {
+  type = bool
+}
+

Original file line number	Diff line number	Diff line change
`@@ -36,6 +36,7 @@ resource "aws_cloudfront_distribution" "distribution" {`
`36`	`36`	`locations = ["GB"]`
`37`	`37`	`}`
`38`	`38`	`}`
	`39`	`+ web_acl_id = var.web_acl_id`
`39`	`40`	`}`
`40`	`41`
`41`	`42`	`resource "aws_cloudfront_origin_request_policy" "viewer_policy" {`
`@@ -90,4 +91,5 @@ resource "aws_cloudfront_cache_policy" "nocache" {`
`90`	`91`	`query_string_behavior = "none"`
`91`	`92`	`}`
`92`	`93`	`}`
`93`		`-}`
	`94`	`+}`
	`95`	`+`