feat: showcased load balancer association with WAF ACL (#35)

* feat: showcased load balancer association with WAF ACL

* [Boldlinksig]: Pre-commit auto updated files on 10-11-2023 17:05:43.

* Modified changelog release number

---------

Co-authored-by: boldlinksig <boldlinksig@boldlink.io>

Author: patrickmukumbu

CHANGELOG.md

@@ -26,7 +26,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - feat: Add missing aws_ecs_task_definition arguments and showcase them in examples
 - feat: expand volume block of the task definition as it has more configuration
 
-## [1.7.0] - 2023-12-03
+## [1.8.0] - 2023-11-10
+### Changes
+- feat: Showcased WAF association for the loadbalancer
+
+## [1.7.0] - 2023-11-03
 ### Changes
 - feat: add complete example for alb and nlb service
 - feat: Enable ALB idle timeout configuration - this feature only works with ALB and not NLB.
@@ -142,8 +146,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - feat: feature update.
 - feat: initial code commit
 
-[Unreleased]: https://github.com/boldlink/terraform-aws-ecs-service/compare/1.7.0...HEAD
+[Unreleased]: https://github.com/boldlink/terraform-aws-ecs-service/compare/1.7.1...HEAD
 
+[1.7.1]: https://github.com/boldlink/terraform-aws-ecs-service/releases/tag/1.7.1
 [1.7.0]: https://github.com/boldlink/terraform-aws-ecs-service/releases/tag/1.7.0
 [1.6.0]: https://github.com/boldlink/terraform-aws-ecs-service/releases/tag/1.6.0
 [1.5.3]: https://github.com/boldlink/terraform-aws-ecs-service/releases/tag/1.5.3

README.md

@@ -186,7 +186,7 @@ module "ecs_service" {
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.24.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.25.0 |
 | <a name="provider_tls"></a> [tls](#provider\_tls) | 4.0.4 |
 
 ## Modules
@@ -235,7 +235,7 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_access_logs"></a> [access\_logs](#input\_access\_logs) | (Optional) Define an Access Logs block | `map(string)` | `{}` | no |
 | <a name="input_acm_certificate_arn"></a> [acm\_certificate\_arn](#input\_acm\_certificate\_arn) | ARN of ACM generated/third party certificate | `string` | `null` | no |
-| <a name="input_adjustment_type"></a> [adjustment\_type](#input\_adjustment\_type) | Required) Specifies whether the adjustment is an absolute number or a percentage of the current capacity. Valid values are ChangeInCapacity, ExactCapacity, and PercentChangeInCapacity. | `string` | `"ChangeInCapacity"` | no |
+| <a name="input_adjustment_type"></a> [adjustment\_type](#input\_adjustment\_type) | (Required) Specifies whether the adjustment is an absolute number or a percentage of the current capacity. Valid values are ChangeInCapacity, ExactCapacity, and PercentChangeInCapacity. | `string` | `"ChangeInCapacity"` | no |
 | <a name="input_alb_subnets"></a> [alb\_subnets](#input\_alb\_subnets) | Subnet IDs for the application load balancer. | `list(string)` | `[]` | no |
 | <a name="input_associate_with_waf"></a> [associate\_with\_waf](#input\_associate\_with\_waf) | Whether to associate created ALB with AWS WAFv2 ACL | `bool` | `false` | no |
 | <a name="input_associate_with_wafregional"></a> [associate\_with\_wafregional](#input\_associate\_with\_wafregional) | Whether to associate created ALB with WAF Regional Web ACL | `bool` | `false` | no |

examples/complete/README.md

@@ -39,7 +39,7 @@ To test the deployment, follow these steps:
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.24.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.25.0 |
 
 ## Modules
 
@@ -48,6 +48,7 @@ To test the deployment, follow these steps:
 | <a name="module_access_logs_bucket"></a> [access\_logs\_bucket](#module\_access\_logs\_bucket) | boldlink/s3/aws | 2.3.1 |
 | <a name="module_ecs_service_alb"></a> [ecs\_service\_alb](#module\_ecs\_service\_alb) | ../../ | n/a |
 | <a name="module_ecs_service_nlb"></a> [ecs\_service\_nlb](#module\_ecs\_service\_nlb) | ../../ | n/a |
+| <a name="module_waf_acl"></a> [waf\_acl](#module\_waf\_acl) | boldlink/waf/aws | 1.0.3 |
 
 ## Resources
 
@@ -74,9 +75,12 @@ To test the deployment, follow these steps:
 |------|-------------|------|---------|:--------:|
 | <a name="input_access_logs_enabled"></a> [access\_logs\_enabled](#input\_access\_logs\_enabled) | Whether to enable access logs for the lb | `bool` | `true` | no |
 | <a name="input_alb_ingress_rules"></a> [alb\_ingress\_rules](#input\_alb\_ingress\_rules) | Incoming traffic configuration for the load balancer security group | `list(any)` | <pre>[<br>  {<br>    "cidr_blocks": [<br>      "0.0.0.0/0"<br>    ],<br>    "description": "Allow traffic to load balancer on port 443",<br>    "from_port": 443,<br>    "protocol": "tcp",<br>    "to_port": 443<br>  },<br>  {<br>    "cidr_blocks": [<br>      "0.0.0.0/0"<br>    ],<br>    "description": "Allow traffic to alb load balancer on port 80",<br>    "from_port": 80,<br>    "protocol": "tcp",<br>    "to_port": 80<br>  }<br>]</pre> | no |
+| <a name="input_cloudwatch_metrics_enabled"></a> [cloudwatch\_metrics\_enabled](#input\_cloudwatch\_metrics\_enabled) | Whether to enable cloudwatch metrics | `bool` | `false` | no |
 | <a name="input_containerport"></a> [containerport](#input\_containerport) | Specify container port | `number` | `5000` | no |
 | <a name="input_cpu"></a> [cpu](#input\_cpu) | The number of cpu units to allocate | `number` | `10` | no |
 | <a name="input_create_load_balancer"></a> [create\_load\_balancer](#input\_create\_load\_balancer) | Whether to create a load balancer for ecs. | `bool` | `true` | no |
+| <a name="input_custom_header_name"></a> [custom\_header\_name](#input\_custom\_header\_name) | The name of the custom header to insert | `string` | `"X-My-Company-Tracking-ID"` | no |
+| <a name="input_custom_header_value"></a> [custom\_header\_value](#input\_custom\_header\_value) | The value of the custom header to insert | `string` | `"1234567890"` | no |
 | <a name="input_drop_invalid_header_fields"></a> [drop\_invalid\_header\_fields](#input\_drop\_invalid\_header\_fields) | Indicates whether HTTP headers with header fields that are not valid are removed by the load balancer (true) or routed to targets (false). | `bool` | `true` | no |
 | <a name="input_enable_autoscaling"></a> [enable\_autoscaling](#input\_enable\_autoscaling) | Whether to enable autoscaling or not for ecs | `bool` | `true` | no |
 | <a name="input_enable_execute_command"></a> [enable\_execute\_command](#input\_enable\_execute\_command) | value to enable execute command at the ecs service, default = false | `bool` | `true` | no |
@@ -92,6 +96,7 @@ To test the deployment, follow these steps:
 | <a name="input_path"></a> [path](#input\_path) | Destination for the health check request. Required for HTTP/HTTPS ALB and HTTP NLB. Only applies to HTTP/HTTPS. | `string` | `"/healthz"` | no |
 | <a name="input_requires_compatibilities"></a> [requires\_compatibilities](#input\_requires\_compatibilities) | Set of launch types required by the task. The valid values are EC2 and FARGATE. | `list(string)` | <pre>[<br>  "FARGATE"<br>]</pre> | no |
 | <a name="input_retention_in_days"></a> [retention\_in\_days](#input\_retention\_in\_days) | Number of days you want to retain log events in the specified log group. | `number` | `1` | no |
+| <a name="input_sampled_requests_enabled"></a> [sampled\_requests\_enabled](#input\_sampled\_requests\_enabled) | Whether to enable simple requests | `bool` | `false` | no |
 | <a name="input_scalable_dimension"></a> [scalable\_dimension](#input\_scalable\_dimension) | The scalable dimension of the scalable target. | `string` | `"ecs:service:DesiredCount"` | no |
 | <a name="input_service_namespace"></a> [service\_namespace](#input\_service\_namespace) | The AWS service namespace of the scalable target. | `string` | `"ecs"` | no |
 | <a name="input_supporting_resources_name"></a> [supporting\_resources\_name](#input\_supporting\_resources\_name) | Name of the supporting resources stack | `string` | `"terraform-aws-ecs-service"` | no |

examples/complete/main.tf

@@ -64,10 +64,18 @@ module "ecs_service_alb" {
   enable_autoscaling         = var.enable_autoscaling
   scalable_dimension         = var.scalable_dimension
   service_namespace          = var.service_namespace
+  metric_aggregation_type    = "Average"
+
+  # WAF association
+  associate_with_waf = true
+  web_acl_arn        = module.waf_acl.arn
 
   # Load balancer sg
   lb_ingress_rules = var.alb_ingress_rules
-  depends_on       = [module.access_logs_bucket]
+  depends_on = [
+    module.access_logs_bucket,
+    module.waf_acl
+  ]
 }
 
 module "ecs_service_nlb" {

examples/complete/variables.tf

@@ -4,6 +4,30 @@ variable "name" {
   default     = "complete-ecs-example"
 }
 
+variable "cloudwatch_metrics_enabled" {
+  type        = bool
+  description = "Whether to enable cloudwatch metrics"
+  default     = false
+}
+
+variable "sampled_requests_enabled" {
+  type        = bool
+  description = "Whether to enable simple requests"
+  default     = false
+}
+
+variable "custom_header_name" {
+  type        = string
+  description = "The name of the custom header to insert"
+  default     = "X-My-Company-Tracking-ID"
+}
+
+variable "custom_header_value" {
+  type        = string
+  description = "The value of the custom header to insert"
+  default     = "1234567890"
+}
+
 variable "supporting_resources_name" {
   type        = string
   description = "Name of the supporting resources stack"

examples/complete/waf.tf

@@ -0,0 +1,96 @@
+module "waf_acl" {
+  source      = "boldlink/waf/aws"
+  version     = "1.0.3"
+  name        = var.name
+  description = "Waf acl rules for ecs service"
+  tags        = local.tags
+
+  custom_response_bodies = [
+    {
+      key          = "custom_response_body_1",
+      content      = "You are not authorized to access this resource.",
+      content_type = "TEXT_PLAIN"
+    }
+  ]
+
+  default_action = "allow"
+
+  rules = [
+    {
+      name     = "${var.name}-allow-rule"
+      priority = 1
+
+      action = {
+        allow = {
+          custom_request_handling = {
+            insert_header = {
+              name  = var.custom_header_name
+              value = var.custom_header_value
+            }
+          }
+        }
+      }
+
+      statement = {
+        geo_match_statement = {
+          country_codes = ["GB"]
+        }
+      }
+
+      visibility_config = {
+        cloudwatch_metrics_enabled = var.cloudwatch_metrics_enabled
+        metric_name                = "${var.name}-allow-metric"
+        sampled_requests_enabled   = var.sampled_requests_enabled
+      }
+    },
+    {
+      name       = "${var.name}-block-rule"
+      priority   = 4
+      rule_label = ["ExampleLabel"]
+      action = {
+        block = {
+          custom_response = {
+            custom_response_body_key = "custom_response_body_1"
+            response_code            = 412
+            response_headers = [
+              {
+                name  = "X-Custom-Header-1"
+                value = "You are not authorized to access this resource."
+              },
+            ]
+          }
+        }
+      }
+      statement = {
+        geo_match_statement = {
+          country_codes = ["US"]
+        }
+      }
+      visibility_config = {
+        cloudwatch_metrics_enabled = var.cloudwatch_metrics_enabled
+        metric_name                = "${var.name}-block-metric"
+        sampled_requests_enabled   = var.sampled_requests_enabled
+      }
+    },
+    {
+      name     = "${var.name}-captcha"
+      priority = 2
+
+      action = {
+        captcha = {}
+      }
+
+      statement = {
+        geo_match_statement = {
+          country_codes = ["NL"]
+        }
+      }
+
+      visibility_config = {
+        cloudwatch_metrics_enabled = false
+        metric_name                = "${var.name}-captcha-metric"
+        sampled_requests_enabled   = false
+      }
+    }
+  ]
+}

examples/fargate/README.md

@@ -25,7 +25,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.24.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.25.0 |
 
 ## Modules
 

examples/minimum/README.md

@@ -25,7 +25,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.24.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.25.0 |
 
 ## Modules
 

tests/supportingResources/README.md

@@ -31,7 +31,7 @@ This stack builds:
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.24.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.25.0 |
 
 ## Modules
 

variables.tf

@@ -337,7 +337,7 @@ variable "policy_type" {
 }
 
 variable "adjustment_type" {
-  description = "Required) Specifies whether the adjustment is an absolute number or a percentage of the current capacity. Valid values are ChangeInCapacity, ExactCapacity, and PercentChangeInCapacity."
+  description = "(Required) Specifies whether the adjustment is an absolute number or a percentage of the current capacity. Valid values are ChangeInCapacity, ExactCapacity, and PercentChangeInCapacity."
   type        = string
   default     = "ChangeInCapacity"
 }