From 31eb94ca4b1b5bfba215b6e9a3aa2435a557d9c7 Mon Sep 17 00:00:00 2001
From: lvalentine6 <ysr1227@naver.com>
Date: Tue, 23 Sep 2025 00:11:32 +0900
Subject: [PATCH] =?UTF-8?q?fix:=20ua=EA=B0=80=20node=EC=9D=B8=20=EA=B2=BD?=
 =?UTF-8?q?=EC=9A=B0=20=EC=9E=84=EC=8B=9C=EC=A0=81=EC=9C=BC=EB=A1=9C=20?=
 =?UTF-8?q?=EC=A0=91=EC=86=8D=20=ED=97=88=EC=9A=A9?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 terraform/common/waf/main.tf | 57 ++++++++++++++++++++++++++++++++++++
 1 file changed, 57 insertions(+)

diff --git a/terraform/common/waf/main.tf b/terraform/common/waf/main.tf
index e432dd1..ba533e2 100644
--- a/terraform/common/waf/main.tf
+++ b/terraform/common/waf/main.tf
@@ -90,15 +90,25 @@ resource "aws_wafv2_web_acl" "this" {
   rule {
     name     = "AWS-Managed-Bot-Control-Rule-Set"
     priority = 40
+
     override_action {
       none {}
     }
+
     statement {
       managed_rule_group_statement {
         vendor_name = "AWS"
         name        = "AWSManagedRulesBotControlRuleSet"
+
+        rule_action_override {
+          name = "SignalNonBrowserUserAgent"
+          action_to_use {
+            count {}
+          }
+        }
       }
     }
+
     visibility_config {
       cloudwatch_metrics_enabled = true
       metric_name                = "aws-managed-bot-control"
@@ -106,6 +116,53 @@ resource "aws_wafv2_web_acl" "this" {
     }
   }
 
+  # 임시 조치로 ua가 node일 경우만 통과시킴
+  rule {
+    name     = "Block-Non-Node-User-Agents"
+    priority = 41
+
+    action {
+      block {}
+    }
+
+    statement {
+      and_statement {
+        statement {
+          label_match_statement {
+            scope = "LABEL"
+            key   = "awswaf:managed:aws:bot-control:signal:non_browser_user_agent"
+          }
+        }
+
+        statement {
+          not_statement {
+            statement {
+              byte_match_statement {
+                search_string = "node"
+                field_to_match {
+                  single_header {
+                    name = "user-agent"
+                  }
+                }
+                positional_constraint = "CONTAINS"
+                text_transformation {
+                  priority = 0
+                  type     = "NONE"
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+
+    visibility_config {
+      cloudwatch_metrics_enabled = true
+      metric_name                = "block-non-node-uas"
+      sampled_requests_enabled   = true
+    }
+  }
+
   # Anonymous IP list
   rule {
     name     = "AWS-Managed-Anonymous-IP-List"