changes to Cloud front Template & WAF scope down for Zero WAF downtime (

#1601) * changes to Cloud front Template & WAF scope down for Zero waf downtime when dns is switched
govuk-one-login · May 7, 2024 · 88416e3 · 88416e3
1 parent 766600a
commit 88416e3
Show file tree

Hide file tree

Showing 3 changed files with 56 additions and 18 deletions.
diff --git a/ci/terraform/cloudfront.tf b/ci/terraform/cloudfront.tf
@@ -2,22 +2,19 @@ resource "aws_cloudformation_stack" "cloudfront" {
   count = var.cloudfront_auth_frontend_enabled ? 1 : 0
   name  = "${var.environment}-auth-fe-cloudfront"
   #using fixed version of cloudfron disturbution template for now 
-  template_url = "https://template-storage-templatebucket-1upzyw6v9cs42.s3.amazonaws.com/cloudfront-distribution/template.yaml?versionId=EKk9m9vMv10qF5vHzWZogFLnQQw6_Yjc"
+  template_url = "https://template-storage-templatebucket-1upzyw6v9cs42.s3.amazonaws.com/cloudfront-distribution/template.yaml?versionId=r_TJE_Uw3BHA0FFMX7WE84B39D9ucuG8"
 
   capabilities = ["CAPABILITY_NAMED_IAM"]
 
   parameters = {
-    AddWWWPrefix                   = var.Add_WWWPrefix
-    ApplyCloakingHeaderWAFToOrigin = var.Apply_CloakingHeader_WAFToOrigin
-    CloudFrontCertArn              = aws_acm_certificate.cloudfront_frontend_certificate[0].arn
-    CloudfrontWafAcl               = aws_wafv2_web_acl.frontend_cloudfront_waf_web_acl[0].arn
-    DistributionAlias              = local.frontend_fqdn
-    FraudHeaderEnabled             = var.Fraud_Header_Enabled
-    OriginCloakingHeader           = var.auth_origin_cloakingheader
-    OriginResourceArn              = aws_lb.frontend_alb.id
-    OriginWafAcl                   = "none"
-    PreviousOriginCloakingHeader   = var.previous_auth_origin_cloakingheader
-    StandardLoggingEnabled         = true
+    AddWWWPrefix                 = var.Add_WWWPrefix
+    CloudFrontCertArn            = aws_acm_certificate.cloudfront_frontend_certificate[0].arn
+    CloudfrontWafAcl             = aws_wafv2_web_acl.frontend_cloudfront_waf_web_acl[0].arn
+    DistributionAlias            = local.frontend_fqdn
+    FraudHeaderEnabled           = var.Fraud_Header_Enabled
+    OriginCloakingHeader         = var.auth_origin_cloakingheader
+    PreviousOriginCloakingHeader = var.previous_auth_origin_cloakingheader
+    StandardLoggingEnabled       = true
   }
   tags = local.default_tags
 

diff --git a/ci/terraform/variables.tf b/ci/terraform/variables.tf
@@ -316,12 +316,6 @@ variable "Add_WWWPrefix" {
   description = "flag to to add subdomain (www) to the frontend url eg www.signin.sandpit.account.gov.uk"
 }
 
-variable "Apply_CloakingHeader_WAFToOrigin" {
-  type        = bool
-  default     = false
-  description = "flag to add a cloacking header WAf to ALB so only requiest comming from cloudfront are allowed "
-}
-
 variable "Fraud_Header_Enabled" {
   type        = bool
   default     = false

diff --git a/ci/terraform/waf.tf b/ci/terraform/waf.tf
@@ -34,6 +34,10 @@ resource "aws_wafv2_ip_set" "gds_ip_set" {
   tags = local.default_tags
 }
 
+locals {
+  cloudfront_origin_cloaking_header_name = "origin-cloaking-secret"
+}
+
 resource "aws_wafv2_web_acl" "frontend_alb_waf_regional_web_acl" {
   name  = "${var.environment}-frontend-alb-waf-web-acl"
   scope = "REGIONAL"
@@ -82,6 +86,49 @@ resource "aws_wafv2_web_acl" "frontend_alb_waf_regional_web_acl" {
       rate_based_statement {
         limit              = var.environment == "staging" ? 20000000 : 25000
         aggregate_key_type = "IP"
+        scope_down_statement {
+          and_statement {
+            statement {
+              not_statement {
+                statement {
+                  byte_match_statement {
+                    field_to_match {
+                      single_header {
+                        name = local.cloudfront_origin_cloaking_header_name
+                      }
+                    }
+                    positional_constraint = "EXACTLY"
+                    search_string         = var.auth_origin_cloakingheader
+                    text_transformation {
+                      priority = 0
+                      type     = "NONE"
+                    }
+                  }
+                }
+              }
+            }
+
+            statement {
+              not_statement {
+                statement {
+                  byte_match_statement {
+                    field_to_match {
+                      single_header {
+                        name = local.cloudfront_origin_cloaking_header_name
+                      }
+                    }
+                    positional_constraint = "EXACTLY"
+                    search_string         = var.previous_auth_origin_cloakingheader
+                    text_transformation {
+                      priority = 0
+                      type     = "NONE"
+                    }
+                  }
+                }
+              }
+            }
+          }
+        }
       }
     }
     visibility_config {