Allow for specific IPs to bypass WAF (#6243)

DataBiosphere · May 9, 2024 · c963290 · c963290
1 parent 6ec77a2
commit c963290
Show file tree

Hide file tree

Showing 3 changed files with 43 additions and 25 deletions.
diff --git a/src/azul/__init__.py b/src/azul/__init__.py
@@ -1512,6 +1512,8 @@ def docker_image_manifests_path(self) -> Path:
 
     blocked_v4_ips_term = 'blocked_v4_ips'
 
+    allowed_v4_ips_term = 'allowed_v4_ips'
+
     waf_rate_rule_name = 'RateRule'
 
     waf_rate_rule_period = 300  # seconds; this value is fixed by AWS

diff --git a/terraform/api_gateway.tf.json.template.py b/terraform/api_gateway.tf.json.template.py
@@ -161,11 +161,15 @@ def for_domain(cls, domain):
                 for zone in range(vpc.num_zones)
             },
             'aws_wafv2_ip_set': {
-                config.blocked_v4_ips_term: {
-                    'name': config.qualified_resource_name(resource_name=config.blocked_v4_ips_term,
+                name: {
+                    'name': config.qualified_resource_name(resource_name=name,
                                                            stage=config.main_deployment_stage),
                     'scope': 'REGIONAL'
                 }
+                for name in [
+                    config.blocked_v4_ips_term,
+                    config.allowed_v4_ips_term
+                ]
             }
         },
         *(
@@ -205,22 +209,28 @@ def for_domain(cls, domain):
                     'rule': [
                         {**rule, 'priority': i}
                         for i, rule in enumerate([
-                            {
-                                'name': 'BlockedIPs',
-                                'action': {
-                                    'block': {}
-                                },
-                                'statement': {
-                                    'ip_set_reference_statement': {
-                                    'arn': '${data.aws_wafv2_ip_set.%s.arn}' % config.blocked_v4_ips_term
+                            *[
+                                {
+                                    'name': name,
+                                    'action': {
+                                        action: {}
+                                    },
+                                    'statement': {
+                                        'ip_set_reference_statement': {
+                                            'arn': '${data.aws_wafv2_ip_set.%s.arn}' % ip_set_term
+                                        }
+                                    },
+                                    'visibility_config': {
+                                        'metric_name': name,
+                                        'sampled_requests_enabled': True,
+                                        'cloudwatch_metrics_enabled': True
                                     }
-                                },
-                                'visibility_config': {
-                                    'metric_name': 'BlockedIPs',
-                                    'sampled_requests_enabled': True,
-                                    'cloudwatch_metrics_enabled': True
                                 }
-                            },
+                                for name, action, ip_set_term in [
+                                    ('BlockedIPs', 'block', config.blocked_v4_ips_term),
+                                    ('AllowedIPs', 'allow', config.allowed_v4_ips_term)
+                                ]
+                            ],
                             {
                                 'name': config.waf_rate_rule_name,
                                 'action': {

diff --git a/terraform/shared/shared.tf.json.template.py b/terraform/shared/shared.tf.json.template.py
@@ -996,16 +996,22 @@ def conformance_pack(name: str) -> str:
                     ]
                 }
             },
-            config.blocked_v4_ips_term: {
-                'name': config.qualified_resource_name(config.blocked_v4_ips_term),
-                'scope': 'REGIONAL',
-                'ip_address_version': 'IPV4',
-                'addresses': [],
-                'lifecycle': {
-                    'ignore_changes': [
-                        'addresses'
-                    ]
+            **{
+                name: {
+                    'name': config.qualified_resource_name(name),
+                    'scope': 'REGIONAL',
+                    'ip_address_version': 'IPV4',
+                    'addresses': [],
+                    'lifecycle': {
+                        'ignore_changes': [
+                            'addresses'
+                        ]
+                    }
                 }
+                for name in [
+                    config.blocked_v4_ips_term,
+                    config.allowed_v4_ips_term
+                ]
             }
         },
         'aws_ecr_repository': {