Merge pull request #206 from YAPP-Github/develop

[Feat] WAF 설정 변경 prod 적용

Author: lvalentine6

terraform/common/locals.tf

@@ -4,7 +4,6 @@ data "aws_region" "current" {}
 locals {
   group_name   = "power"
   project_name = "eatda"
-  admin_email  = "[email protected]"
 
   policy_arns = [
     "arn:aws:iam::aws:policy/AdministratorAccess",
@@ -251,5 +250,5 @@ locals {
 }
 
 locals {
-  request_threshold = 200
+  request_threshold = 2000
 }

terraform/common/main.tf

@@ -74,4 +74,9 @@ resource "aws_cloudwatch_log_group" "waf_logs" {
 resource "aws_wafv2_web_acl_logging_configuration" "this" {
   log_destination_configs = [trimsuffix(aws_cloudwatch_log_group.waf_logs.arn, ":*")]
   resource_arn            = module.waf.web_acl_arn
+  redacted_fields {
+    single_header {
+      name = "x-origin-verify"
+    }
+  }
 }

terraform/common/waf/main.tf

@@ -1,15 +1,131 @@
+data "aws_ssm_parameter" "x_origin_verify" {
+  name = "/common/CLIENT_HEADER_SECRET"
+}
+
 resource "aws_wafv2_web_acl" "this" {
   name  = "${var.project_name}-web-acl"
   scope = "REGIONAL"
 
   default_action {
-    allow {}
+    block {}
+  }
+
+  rule {
+    name     = "Allow-Verified-Server-Requests"
+    priority = 5
+    action {
+      allow {}
+    }
+    statement {
+      and_statement {
+        statement {
+          or_statement {
+            statement {
+              byte_match_statement {
+                field_to_match {
+                  single_header {
+                    name = "user-agent"
+                  }
+                }
+                search_string         = "node"
+                positional_constraint = "CONTAINS"
+                text_transformation {
+                  priority = 0
+                  type     = "NONE"
+                }
+              }
+            }
+            statement {
+              byte_match_statement {
+                field_to_match {
+                  single_header {
+                    name = "user-agent"
+                  }
+                }
+                search_string         = "Vercel"
+                positional_constraint = "CONTAINS"
+                text_transformation {
+                  priority = 0
+                  type     = "NONE"
+                }
+              }
+            }
+          }
+        }
+        statement {
+          byte_match_statement {
+            field_to_match {
+              single_header {
+                name = "x-origin-verify"
+              }
+            }
+            search_string         = data.aws_ssm_parameter.x_origin_verify.value
+            positional_constraint = "EXACTLY"
+            text_transformation {
+              priority = 0
+              type     = "NONE"
+            }
+          }
+        }
+      }
+    }
+    visibility_config {
+      cloudwatch_metrics_enabled = true
+      metric_name                = "allow-verified-server-requests"
+      sampled_requests_enabled   = true
+    }
+  }
+
+  rule {
+    name     = "Allow-Browser-Requests"
+    priority = 10
+    action {
+      allow {}
+    }
+    statement {
+      or_statement {
+        statement {
+          size_constraint_statement {
+            field_to_match {
+              single_header {
+                name = "origin"
+              }
+            }
+            comparison_operator = "GT"
+            size                = 0
+            text_transformation {
+              priority = 0
+              type     = "NONE"
+            }
+          }
+        }
+        statement {
+          size_constraint_statement {
+            field_to_match {
+              single_header {
+                name = "referer"
+              }
+            }
+            comparison_operator = "GT"
+            size                = 0
+            text_transformation {
+              priority = 0
+              type     = "NONE"
+            }
+          }
+        }
+      }
+    }
+    visibility_config {
+      cloudwatch_metrics_enabled = true
+      metric_name                = "allow-browser-requests"
+      sampled_requests_enabled   = true
+    }
   }
 
-  # Rate-based Rule (HTTP Flood)
   rule {
     name     = "Rate-Limit-Rule"
-    priority = 1
+    priority = 20
     action {
       block {}
     }
@@ -29,7 +145,7 @@ resource "aws_wafv2_web_acl" "this" {
   # AWS Managed Core Rule Set
   rule {
     name     = "AWS-Managed-Core-Rule-Set"
-    priority = 10
+    priority = 30
     override_action {
       none {}
     }
@@ -49,7 +165,7 @@ resource "aws_wafv2_web_acl" "this" {
   # Scanners & Probes Protection
   rule {
     name     = "AWS-Managed-Known-Bad-Inputs-Rule-Set"
-    priority = 20
+    priority = 40
     override_action {
       none {}
     }
@@ -69,7 +185,7 @@ resource "aws_wafv2_web_acl" "this" {
   # Reputation Lists Protection
   rule {
     name     = "AWS-Managed-Amazon-IP-Reputation-List"
-    priority = 30
+    priority = 50
     override_action {
       none {}
     }
@@ -89,7 +205,7 @@ resource "aws_wafv2_web_acl" "this" {
   # Bad Bot Protection
   rule {
     name     = "AWS-Managed-Bot-Control-Rule-Set"
-    priority = 40
+    priority = 60
     override_action {
       none {}
     }
@@ -109,7 +225,7 @@ resource "aws_wafv2_web_acl" "this" {
   # Anonymous IP list
   rule {
     name     = "AWS-Managed-Anonymous-IP-List"
-    priority = 50
+    priority = 70
     override_action {
       none {}
     }
@@ -129,7 +245,7 @@ resource "aws_wafv2_web_acl" "this" {
   # SQL database
   rule {
     name     = "AWS-Managed-SQLi-Rule-Set"
-    priority = 60
+    priority = 80
     override_action {
       none {}
     }