From 8d4808c4b7f63418fa2042909b14615621c4605f Mon Sep 17 00:00:00 2001
From: Sean Rankine <sean.rankine@me.com>
Date: Mon, 27 Jan 2025 12:11:27 +0000
Subject: [PATCH] Wip

---
 .../govuk-publishing-infrastructure/wafs.tf   | 49 +++++++++++++++++++
 1 file changed, 49 insertions(+)

diff --git a/terraform/deployments/govuk-publishing-infrastructure/wafs.tf b/terraform/deployments/govuk-publishing-infrastructure/wafs.tf
index ff9925cac..f3c4bca8f 100644
--- a/terraform/deployments/govuk-publishing-infrastructure/wafs.tf
+++ b/terraform/deployments/govuk-publishing-infrastructure/wafs.tf
@@ -500,3 +500,52 @@ resource "aws_wafv2_web_acl_logging_configuration" "public_bouncer_waf" {
     }
   }
 }
+
+resource "aws_wafv2_web_acl" "cache_public" {
+  name  = "cache_public_web_acl"
+  scope = "REGIONAL"
+
+  default_action {
+    allow {}
+  }
+
+  visibility_config {
+    cloudwatch_metrics_enabled = true
+    metric_name                = "cache-public-web-acl"
+    sampled_requests_enabled   = true
+  }
+}
+
+resource "aws_cloudwatch_log_group" "public_cache_waf" {
+  # the name must start with aws-waf-logs
+  # https://docs.aws.amazon.com/waf/latest/developerguide/logging-cw-logs.html#logging-cw-logs-naming
+  name              = "aws-waf-logs-cache-public-${var.govuk_environment}"
+  retention_in_days = var.waf_log_retention_days
+}
+
+resource "aws_wafv2_web_acl_logging_configuration" "public_cache_waf" {
+  log_destination_configs = [aws_cloudwatch_log_group.public_cache_waf.arn]
+  resource_arn            = aws_wafv2_web_acl.cache_public.arn
+
+  logging_filter {
+    default_behavior = "DROP"
+
+    filter {
+      behavior = "KEEP"
+
+      condition {
+        action_condition {
+          action = "COUNT"
+        }
+      }
+
+      condition {
+        action_condition {
+          action = "BLOCK"
+        }
+      }
+
+      requirement = "MEETS_ANY"
+    }
+  }
+}