Skip to content

Commit

Permalink
Alarm when WAF rate limit kicks in (#5554, PR #5573)
Browse files Browse the repository at this point in the history
  • Loading branch information
@dsotirho-ucsc
dsotirho-ucsc committed Oct 3, 2023
2 parents ddfda0e + 8559cea commit 12619ef
Show file tree
Hide file tree
Showing 3 changed files with 51 additions and 2 deletions.
2 changes: 2 additions & 0 deletions src/azul/__init__.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1450,6 +1450,8 @@ def docker_registry(self) -> str:
'linux/amd64'
]

waf_rate_rule_name = 'RateRule'


config: Config = Config() # yes, the type hint does help PyCharm

Expand Down
32 changes: 30 additions & 2 deletions terraform/api_gateway.tf.json.template.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -221,7 +221,7 @@ def for_domain(cls, domain):
},
{
'priority': 1,
'name': 'RateRule',
'name': config.waf_rate_rule_name,
'action': {
'block': {}
},
Expand All @@ -232,7 +232,7 @@ def for_domain(cls, domain):
}
},
'visibility_config': {
'metric_name': 'RateRule',
'metric_name': config.waf_rate_rule_name,
'sampled_requests_enabled': True,
'cloudwatch_metrics_enabled': True
}
Expand Down Expand Up @@ -317,6 +317,34 @@ def for_domain(cls, domain):
'sampled_requests_enabled': True,
}
}
},
'aws_cloudwatch_log_group': {
'waf_api_gateway': {
# WAF logging requires this specific log group name prefix
# https://docs.aws.amazon.com/waf/latest/developerguide/logging-cw-logs.html#logging-cw-logs-naming
'name': 'aws-waf-logs-' + config.qualified_resource_name('api_gateway'),
'retention_in_days': config.audit_log_retention_days
}
},
'aws_wafv2_web_acl_logging_configuration': {
'waf_api_gateway': {
'log_destination_configs': [
'${aws_cloudwatch_log_group.waf_api_gateway.arn}'
],
'resource_arn': '${aws_wafv2_web_acl.api_gateway.arn}',
'logging_filter': {
'default_behavior': 'DROP',
'filter': {
'behavior': 'KEEP',
'requirement': 'MEETS_ALL',
'condition': {
'action_condition': {
'action': 'BLOCK'
}
}
}
}
}
}
},
*([
Expand Down
19 changes: 19 additions & 0 deletions terraform/cloudwatch.tf.json.template.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -348,6 +348,25 @@ def prod_qualified_resource_name(name: str) -> str:
for i, metric in enumerate(['AllowedRequests', 'BlockedRequests'])
)
]
},
'waf_rate_blocked': {
'alarm_name': config.qualified_resource_name('waf_rate_blocked'),
'comparison_operator': 'GreaterThanThreshold',
'threshold': 0,
'datapoints_to_alarm': 1,
'evaluation_periods': 1,
'period': 5 * 60,
'metric_name': 'BlockedRequests',
'namespace': 'AWS/WAFV2',
'statistic': 'Sum',
'treat_missing_data': 'notBreaching',
'dimensions': {
'WebACL': '${aws_wafv2_web_acl.api_gateway.name}',
'Region': config.region,
'Rule': config.waf_rate_rule_name
},
'alarm_actions': ['${data.aws_sns_topic.monitoring.arn}'],
'ok_actions': ['${data.aws_sns_topic.monitoring.arn}'],
}
}
}
Expand Down

0 comments on commit 12619ef

Please sign in to comment.