AUT-2697: Enable rate limiting of frontend urls

Endpoints can be rate limited based on the number of requests in a given time period (number and time period are configurable via tfvars). There are two buckets for rate limiting: - Per-IP: A single IP address can only make the configured number of requests in the configured time period. - Per-Session: A single session (as defined by the `aps` cookie) can only make the configured number of requests in the configured time period.
govuk-one-login · Apr 15, 2024 · 4861af0 · 4861af0
1 parent 1b3196d
commit 4861af0
Show file tree

Hide file tree

Showing 4 changed files with 143 additions and 23 deletions.
diff --git a/ci/terraform/.terraform.lock.hcl b/ci/terraform/.terraform.lock.hcl
diff --git a/ci/terraform/site.tf b/ci/terraform/site.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "= 5.34.0"
+      version = "= 5.45.0"
     }
     random = {
       source  = "hashicorp/random"

diff --git a/ci/terraform/variables.tf b/ci/terraform/variables.tf
@@ -261,3 +261,21 @@ variable "alb_idle_timeout" {
   description = "Frontend Application Load Balancer idle timeout"
   default     = 60
 }
+
+variable "rate_limited_endpoints" {
+  description = "List of endpoints that should be rate limited by session and IP"
+  type        = list(string)
+  default     = []
+}
+
+variable "rate_limited_endpoints_rate_limit_period" {
+  description = "Period in seconds for rate limiting for rate limited endpoints"
+  type        = number
+  default     = 120
+}
+
+variable "rate_limited_endpoints_requests_per_period" {
+  description = "Number of requests per period allowed for rate limited endpoints"
+  type        = number
+  default     = 100000
+}
diff --git a/ci/terraform/waf.tf b/ci/terraform/waf.tf
@@ -91,6 +91,109 @@ resource "aws_wafv2_web_acl" "frontend_alb_waf_regional_web_acl" {
     }
   }
 
+  rule {
+    name     = "BlockMoreThan100CheckYourEmailRequestsFromIPPer5Minutes"
+    priority = 21
+    rule_label {
+      name = "MoreThan100CheckYourEmailRequestsFromIPPer5Minutes"
+    }
+
+    action {
+      block {}
+    }
+
+    statement {
+      rate_based_statement {
+        limit                 = var.environment == "staging" ? 20000000 : var.rate_limited_endpoints_requests_per_period
+        evaluation_window_sec = var.rate_limited_endpoints_rate_limit_period
+        aggregate_key_type    = "IP"
+
+
+        scope_down_statement {
+          or_statement {
+            dynamic "statement" {
+              for_each = var.rate_limited_endpoints
+              content {
+                byte_match_statement {
+                  positional_constraint = "STARTS_WITH"
+                  search_string         = statement.value
+                  field_to_match {
+                    uri_path {}
+                  }
+                  text_transformation {
+                    priority = 0
+                    type     = "LOWERCASE"
+                  }
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+
+    visibility_config {
+      cloudwatch_metrics_enabled = true
+      metric_name                = "${replace(var.environment, "-", "")}FrontendAlbWafMoreThan100CheckYourEmailRequestsFromIPPer5Minutes"
+      sampled_requests_enabled   = true
+    }
+  }
+
+  rule {
+    name     = "BlockMoreThan100CheckYourEmailRequestsFromApsSessionPer5Minutes"
+    priority = 22
+
+    rule_label {
+      name = "MoreThan100CheckYourEmailRequestsFromApsSessionPer5Minutes"
+    }
+
+    action {
+      block {}
+    }
+
+    statement {
+      rate_based_statement {
+        limit                 = var.environment == "staging" ? 20000000 : var.rate_limited_endpoints_requests_per_period
+        evaluation_window_sec = var.rate_limited_endpoints_rate_limit_period
+        aggregate_key_type    = "CUSTOM_KEYS"
+        custom_key {
+          cookie {
+            name = "aps"
+            text_transformation {
+              priority = 0
+              type     = "URL_DECODE"
+            }
+          }
+        }
+        scope_down_statement {
+          or_statement {
+            dynamic "statement" {
+              for_each = var.rate_limited_endpoints
+              content {
+                byte_match_statement {
+                  positional_constraint = "STARTS_WITH"
+                  search_string         = statement.value
+                  field_to_match {
+                    uri_path {}
+                  }
+                  text_transformation {
+                    priority = 0
+                    type     = "LOWERCASE"
+                  }
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+    visibility_config {
+      cloudwatch_metrics_enabled = true
+      metric_name                = "${replace(var.environment, "-", "")}FrontendAlbWafMoreThan100CheckYourEmailRequestsFromApsSessionPer5Minutes"
+      sampled_requests_enabled   = true
+    }
+  }
+
   rule {
     override_action {
       none {}
@@ -275,7 +378,6 @@ resource "aws_wafv2_web_acl" "frontend_alb_waf_regional_web_acl" {
         }
       }
     }
-
     visibility_config {
       cloudwatch_metrics_enabled = true
       metric_name                = "${replace(var.environment, "-", "")}FrontendAlbWafContactUsCount"