Use modules for sensitive WAF config

terraform/deployments/govuk-publishing-infrastructure/variables.tf

@@ -110,6 +110,18 @@ variable "allow_high_request_rate_from_cidrs" {
   default     = []
 }
 
+variable "cache_public_base_rate_warning" {
+  type        = number
+  description = "A warning rate limit threshold for the public web ACL"
+  default     = 2000
+}
+
+variable "cache_public_base_rate_limit" {
+  type        = number
+  description = "An enforced rate limit threshold for the public web ACL"
+  default     = 1000
+}
+
 variable "backend_public_base_rate_warning" {
   type        = number
   description = "A warning rate limit threshold for the backend public web ACL"
@@ -146,3 +158,9 @@ variable "bouncer_public_base_rate_limit" {
   default     = 1000
 }
 
+variable "fastly_rate_limit_token" {
+  type        = string
+  description = "Fastly API token for rate limiting"
+  default     = "test"
+}
+

terraform/deployments/govuk-publishing-infrastructure/wafs.tf

@@ -2,6 +2,19 @@
 # we use it as a simple sanity check / acceptance test from smokey to ensure that
 # the waf is enabled and processing requests
 #
+
+module "infrastructure-sensitive_wafs" {
+  source  = "app.terraform.io/govuk/infrastructure-sensitive/govuk//modules/wafs"
+  version = "0.0.4"
+
+  cache_public_base_rate_limit   = var.cache_public_base_rate_limit
+  cache_public_base_rate_warning = var.cache_public_base_rate_warning
+  fastly_rate_limit_token        = var.fastly_rate_limit_token
+  govuk_requesting_ips_arn       = aws_wafv2_ip_set.govuk_requesting_ips.arn
+  high_request_rate_ips_arn      = aws_wafv2_ip_set.high_request_rate.arn
+  x_always_block_arn             = aws_wafv2_rule_group.x_always_block.arn
+}
+
 resource "aws_wafv2_web_acl" "default" {
   name  = "x-always-block_web_acl"
   scope = "REGIONAL"