Use modules for sensitive WAF config

terraform/deployments/govuk-publishing-infrastructure/variables.tf

@@ -110,6 +110,18 @@ variable "allow_high_request_rate_from_cidrs" {
   default     = []
 }
 
+variable "cache_public_base_rate_warning" {
+  type        = number
+  description = "A warning rate limit threshold for the public web ACL"
+  default     = 2000
+}
+
+variable "cache_public_base_rate_limit" {
+  type        = number
+  description = "An enforced rate limit threshold for the public web ACL"
+  default     = 1000
+}
+
 variable "backend_public_base_rate_warning" {
   type        = number
   description = "A warning rate limit threshold for the backend public web ACL"
@@ -146,3 +158,9 @@ variable "bouncer_public_base_rate_limit" {
   default     = 1000
 }
 
+variable "fastly_rate_limit_token" {
+  type        = string
+  description = "Fastly API token for rate limiting"
+  default     = "test"
+}
+

terraform/deployments/govuk-publishing-infrastructure/wafs.tf

@@ -2,6 +2,25 @@
 # we use it as a simple sanity check / acceptance test from smokey to ensure that
 # the waf is enabled and processing requests
 #
+
+module "infrastructure-sensitive_wafs" {
+  source  = "app.terraform.io/govuk/infrastructure-sensitive/govuk//modules/wafs"
+  version = "0.0.10"
+
+  cache_public_base_rate_limit   = var.cache_public_base_rate_limit
+  cache_public_base_rate_warning = var.cache_public_base_rate_warning
+  fastly_rate_limit_token        = var.fastly_rate_limit_token
+  govuk_requesting_ips_arn       = aws_wafv2_ip_set.govuk_requesting_ips.arn
+  high_request_rate_ips_arn      = aws_wafv2_ip_set.high_request_rate.arn
+  x_always_block_arn             = aws_wafv2_rule_group.x_always_block.arn
+}
+
+
+moved {
+  from = aws_wafv2_web_acl.cache_public
+  to   = module.infrastructure-sensitive_wafs.aws_wafv2_web_acl.cache_public
+}
+
 resource "aws_wafv2_web_acl" "default" {
   name  = "x-always-block_web_acl"
   scope = "REGIONAL"
@@ -532,28 +551,6 @@ resource "aws_wafv2_web_acl_logging_configuration" "public_bouncer_waf" {
   }
 }
 
-resource "aws_wafv2_web_acl" "cache_public" {
-  name  = "cache_public_web_acl"
-  scope = "REGIONAL"
-
-  default_action {
-    allow {}
-  }
-
-  lifecycle {
-    ignore_changes = [
-      rule,
-      custom_response_body
-    ]
-  }
-
-  visibility_config {
-    cloudwatch_metrics_enabled = true
-    metric_name                = "cache-public-web-acl"
-    sampled_requests_enabled   = true
-  }
-}
-
 resource "aws_cloudwatch_log_group" "public_cache_waf" {
   # the name must start with aws-waf-logs
   # https://docs.aws.amazon.com/waf/latest/developerguide/logging-cw-logs.html#logging-cw-logs-naming
@@ -563,7 +560,7 @@ resource "aws_cloudwatch_log_group" "public_cache_waf" {
 
 resource "aws_wafv2_web_acl_logging_configuration" "public_cache_waf" {
   log_destination_configs = [aws_cloudwatch_log_group.public_cache_waf.arn]
-  resource_arn            = aws_wafv2_web_acl.cache_public.arn
+  resource_arn            = module.infrastructure-sensitive_wafs.public_cache_waf_arn
 
   logging_filter {
     default_behavior = "DROP"

terraform/deployments/tfc-configuration/govuk-publishing-infrastructure.tf

@@ -28,7 +28,8 @@ module "govuk-publishing-infrastructure-integration" {
     "gcp-credentials-integration",
     "common",
     "common-integration",
-    "amazonmq-integration"
+    "amazonmq-integration",
+    "sensitive-waf-integration"
   ]
 }
 
@@ -61,7 +62,8 @@ module "govuk-publishing-infrastructure-staging" {
     "gcp-credentials-staging",
     "common",
     "common-staging",
-    "amazonmq-staging"
+    "amazonmq-staging",
+    "sensitive-waf-staging"
   ]
 }
 
@@ -94,6 +96,7 @@ module "govuk-publishing-infrastructure-production" {
     "gcp-credentials-production",
     "common",
     "common-production",
-    "amazonmq-production"
+    "amazonmq-production",
+    "sensitive-waf-production"
   ]
 }

terraform/deployments/tfc-configuration/variables-sensitive.tf

@@ -1,26 +1,4 @@
-module "variables-sensitive" {
-  source  = "alexbasista/workspacer/tfe"
-  version = "0.12.0"
-
-  organization        = var.organization
-  workspace_name      = "variables-sensitive"
-  workspace_desc      = "This module manages sensitive variables for Terraform Cloud workspaces."
-  workspace_tags      = ["tfc", "variables", "sensitive"]
-  terraform_version   = var.terraform_version
-  execution_mode      = "remote"
-  working_directory   = "/"
-  trigger_patterns    = ["/**/*"]
-  global_remote_state = true
-
-  project_name = "govuk-infrastructure"
-  vcs_repo = {
-    identifier     = "alphagov/govuk-infrastructure-sensitive"
-    branch         = "main"
-    oauth_token_id = data.tfe_oauth_client.github.oauth_token_id
-  }
-
-  team_access = {
-    "GOV.UK Non-Production (r/o)" = "read"
-    "GOV.UK Production"           = "write"
-  }
+module "sensitive-variables" {
+  source  = "app.terraform.io/govuk/infrastructure-sensitive/govuk//modules/variables"
+  version = "0.0.10"
 }