From a8f7ca32a9a77a837372d227c8177af94e69e4fa Mon Sep 17 00:00:00 2001
From: Tom Whitwell <tom.whitwell@digital.cabinet-office.gov.uk>
Date: Tue, 11 Jun 2024 15:29:33 +0100
Subject: [PATCH] INCIDEN: Use Web ACL provided by Cloudformation CF

If the environment is using cloudfront, then we should apply the given
web acl to our ALB. The rules are duplicated and applied to cloudfront
separately, so we are not losing any protection.
---
 ci/terraform/waf.tf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ci/terraform/waf.tf b/ci/terraform/waf.tf
index 18280a410..a994a3ef3 100644
--- a/ci/terraform/waf.tf
+++ b/ci/terraform/waf.tf
@@ -146,7 +146,7 @@ resource "aws_wafv2_web_acl" "frontend_alb_waf_regional_web_acl" {
     }
 
     action {
-      block {}
+      count {}
     }
 
     statement {
@@ -499,7 +499,7 @@ resource "aws_wafv2_web_acl" "frontend_alb_waf_regional_web_acl" {
 
 resource "aws_wafv2_web_acl_association" "alb_waf_association" {
   resource_arn = aws_lb.frontend_alb.arn
-  web_acl_arn  = aws_wafv2_web_acl.frontend_alb_waf_regional_web_acl.arn
+  web_acl_arn  = var.cloudfront_auth_dns_enabled ? aws_cloudformation_stack.cloudfront[0].outputs["CloakingOriginWebACLArn"] : aws_wafv2_web_acl.frontend_alb_waf_regional_web_acl.arn
 }
 
 resource "aws_wafv2_web_acl_logging_configuration" "frontend_alb_waf_logging_config" {