[NDR-182] Exclude body firewall rule for api (#357)

SWhyteAnswer · web-flow · commit be4401295e35 · 2025-07-30T09:46:07.000+01:00
* [NDR-182] exclude body rule

* [NDR-182] temp remove count

* [NDR-182] fixing dodgy dynamic

* [NDR-182] revert count

* [NDR-182] rebase error

---------

Co-authored-by: Sam Whyte &lt;sam.whyte@answerdigital.com&gt;
diff --git a/infrastructure/modules/firewall_waf_v2/README.md b/infrastructure/modules/firewall_waf_v2/README.md
@@ -28,7 +28,7 @@ module "waf_acl" {
   # Required: resource owner for tagging
   owner = "security-team"
 
-  # True if using the firewall for an api - removes AWSBotControl
+  # True if using the firewall for an api - removes AWSBotControl and SizeRestrictions_BODY
   api = true
 }
 
@@ -53,7 +53,7 @@ module "waf_acl" {
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_api"></a> [api](#input\_api) | True if using the firewall for an api - removes AWSBotControl. | `bool` | `false` | no |
+| <a name="input_api"></a> [api](#input\_api) | True if using the firewall for an api - removes AWSBotControl and SizeRestrictions\_BODY | `bool` | `false` | no |
 | <a name="input_cloudfront_acl"></a> [cloudfront\_acl](#input\_cloudfront\_acl) | Set to true if this WAF ACL is for a CloudFront distribution. | `bool` | n/a | yes |
 | <a name="input_environment"></a> [environment](#input\_environment) | Environment name used for tagging and resource naming. | `string` | n/a | yes |
 | <a name="input_owner"></a> [owner](#input\_owner) | Name of the owner used for tagging. | `string` | n/a | yes |
diff --git a/infrastructure/modules/firewall_waf_v2/local.tf b/infrastructure/modules/firewall_waf_v2/local.tf
@@ -7,7 +7,7 @@ locals {
       name                    = "AWSCoreRuleSet"
       managed_rule_name       = "AWSManagedRulesCommonRuleSet"
       cloudwatch_metrics_name = "AWS-core-ruleset"
-      excluded_rules          = []
+      excluded_rules          = var.api ? ["SizeRestrictions_BODY"] : []
       bypass                  = ["Yes"]
     },
     {
diff --git a/infrastructure/modules/firewall_waf_v2/main.tf b/infrastructure/modules/firewall_waf_v2/main.tf
@@ -47,9 +47,9 @@ resource "aws_wafv2_web_acl" "waf_v2_acl" {
 
 
           dynamic "rule_action_override" {
-            for_each = rule.value["excluded_rules"]
+            for_each = rule.value.excluded_rules
             content {
-              name = excluded_rule.value
+              name = rule_action_override.value
               action_to_use {
                 allow {}
               }
diff --git a/infrastructure/modules/firewall_waf_v2/variables.tf b/infrastructure/modules/firewall_waf_v2/variables.tf
@@ -14,7 +14,7 @@ variable "cloudfront_acl" {
 }
 
 variable "api" {
-  description = "True if using the firewall for an api - removes AWSBotControl."
+  description = "True if using the firewall for an api - removes AWSBotControl and SizeRestrictions_BODY"
   type        = bool
   default     = false
 }

Original file line number	Diff line number	Diff line change
`@@ -7,7 +7,7 @@ locals {`
`7`	`7`	`name = "AWSCoreRuleSet"`
`8`	`8`	`managed_rule_name = "AWSManagedRulesCommonRuleSet"`
`9`	`9`	`cloudwatch_metrics_name = "AWS-core-ruleset"`
`10`		`- excluded_rules = []`
	`10`	`+ excluded_rules = var.api ? ["SizeRestrictions_BODY"] : []`
`11`	`11`	`bypass = ["Yes"]`
`12`	`12`	`},`
`13`	`13`	`{`
Original file line number	Diff line number	Diff line change
`@@ -14,7 +14,7 @@ variable "cloudfront_acl" {`
`14`	`14`	`}`
`15`	`15`
`16`	`16`	`variable "api" {`
`17`		`- description = "True if using the firewall for an api - removes AWSBotControl."`
	`17`	`+ description = "True if using the firewall for an api - removes AWSBotControl and SizeRestrictions_BODY"`
`18`	`18`	`type = bool`
`19`	`19`	`default = false`
`20`	`20`	`}`