From fe330d4ce45fad8c587c17510e75e40ee6edc6fa Mon Sep 17 00:00:00 2001 From: Chris Kalafarski Date: Mon, 13 Jan 2025 10:46:46 -0500 Subject: [PATCH 1/2] Revert "Disable shared WAF" This reverts commit cb793304d3b5890f42dabb3efe136b9cffa91224. --- spire/templates/shared-alb.yml | 48 +++++++++++++++++----------------- 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/spire/templates/shared-alb.yml b/spire/templates/shared-alb.yml index 8e4812d9..c0590d65 100644 --- a/spire/templates/shared-alb.yml +++ b/spire/templates/shared-alb.yml @@ -435,30 +435,30 @@ Resources: SetIdentifier: !Ref AWS::StackName Type: A - # Waf: - # Type: AWS::WAFv2::WebACL - # Properties: - # DefaultAction: - # Allow: {} - # Description: !Sub WAF for Spire ${EnvironmentType} shared ALB - # Scope: REGIONAL - # Tags: - # - { Key: prx:meta:tagging-version, Value: "2021-04-07" } - # - { Key: prx:cloudformation:stack-name, Value: !Ref AWS::StackName } - # - { Key: prx:cloudformation:stack-id, Value: !Ref AWS::StackId } - # - { Key: prx:cloudformation:root-stack-name, Value: !Ref RootStackName } - # - { Key: prx:cloudformation:root-stack-id, Value: !Ref RootStackId } - # - { Key: prx:ops:environment, Value: !Ref EnvironmentType } - # - { Key: prx:dev:application, Value: Common } - # VisibilityConfig: - # CloudWatchMetricsEnabled: false - # MetricName: !Sub ${Alb.LoadBalancerName}-WAF - # SampledRequestsEnabled: false - # WafAssociation: - # Type: AWS::WAFv2::WebACLAssociation - # Properties: - # ResourceArn: !Ref Alb - # WebACLArn: !GetAtt Waf.Arn + Waf: + Type: AWS::WAFv2::WebACL + Properties: + DefaultAction: + Allow: {} + Description: !Sub WAF for Spire ${EnvironmentType} shared ALB + Scope: REGIONAL + Tags: + - { Key: prx:meta:tagging-version, Value: "2021-04-07" } + - { Key: prx:cloudformation:stack-name, Value: !Ref AWS::StackName } + - { Key: prx:cloudformation:stack-id, Value: !Ref AWS::StackId } + - { Key: prx:cloudformation:root-stack-name, Value: !Ref RootStackName } + - { Key: prx:cloudformation:root-stack-id, Value: !Ref RootStackId } + - { Key: prx:ops:environment, Value: !Ref EnvironmentType } + - { Key: prx:dev:application, Value: Common } + VisibilityConfig: + CloudWatchMetricsEnabled: false + MetricName: !Sub ${Alb.LoadBalancerName}-WAF + SampledRequestsEnabled: false + WafAssociation: + Type: AWS::WAFv2::WebACLAssociation + Properties: + ResourceArn: !Ref Alb + WebACLArn: !GetAtt Waf.Arn Outputs: AlbArn: From aa6992ccf061047829bfe6cec1753d9d515a92d8 Mon Sep 17 00:00:00 2001 From: Chris Kalafarski Date: Mon, 13 Jan 2025 11:21:09 -0500 Subject: [PATCH 2/2] Add geo WAF rule --- spire/templates/shared-alb.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/spire/templates/shared-alb.yml b/spire/templates/shared-alb.yml index c0590d65..99cbdc5b 100644 --- a/spire/templates/shared-alb.yml +++ b/spire/templates/shared-alb.yml @@ -442,6 +442,20 @@ Resources: Allow: {} Description: !Sub WAF for Spire ${EnvironmentType} shared ALB Scope: REGIONAL + Rules: + - Action: + Challenge: {} + Name: reject-exchange-geo + Priority: 20 + Statement: + GeoMatchStatement: + CountryCodes: + - CN + - HK + VisibilityConfig: + CloudWatchMetricsEnabled: true + MetricName: reject-exchange-geo + SampledRequestsEnabled: true Tags: - { Key: prx:meta:tagging-version, Value: "2021-04-07" } - { Key: prx:cloudformation:stack-name, Value: !Ref AWS::StackName }