feat(infra): Add WAF implementation

Author: justin-tahara

deployment/terraform/modules/aws/onyx/main.tf

@@ -75,3 +75,17 @@ module "eks" {
   private_cluster_enabled = var.private_cluster_enabled
   cluster_endpoint_public_access_cidrs = var.cluster_endpoint_public_access_cidrs
 }
+
+module "waf" {
+  source = "../waf"
+  
+  name = local.name
+  tags = local.merged_tags
+  
+  # WAF configuration with sensible defaults
+  rate_limit_requests_per_5_minutes      = var.waf_rate_limit_requests_per_5_minutes
+  api_rate_limit_requests_per_5_minutes  = var.waf_api_rate_limit_requests_per_5_minutes
+  geo_restriction_countries              = var.waf_geo_restriction_countries
+  enable_logging                         = var.waf_enable_logging
+  log_retention_days                     = var.waf_log_retention_days
+}

deployment/terraform/modules/aws/onyx/variables.tf

@@ -86,3 +86,34 @@ variable "redis_auth_token" {
   default     = null
   sensitive   = true
 }
+
+# WAF Configuration Variables
+variable "waf_rate_limit_requests_per_5_minutes" {
+  type        = number
+  description = "Rate limit for requests per 5 minutes per IP address"
+  default     = 2000
+}
+
+variable "waf_api_rate_limit_requests_per_5_minutes" {
+  type        = number
+  description = "Rate limit for API requests per 5 minutes per IP address"
+  default     = 1000
+}
+
+variable "waf_geo_restriction_countries" {
+  type        = list(string)
+  description = "List of country codes to block. Leave empty to disable geo restrictions"
+  default     = []
+}
+
+variable "waf_enable_logging" {
+  type        = bool
+  description = "Enable WAF logging to S3"
+  default     = true
+}
+
+variable "waf_log_retention_days" {
+  type        = number
+  description = "Number of days to retain WAF logs"
+  default     = 90
+}

deployment/terraform/modules/aws/waf/main.tf

@@ -0,0 +1,195 @@
+locals {
+  name = var.name
+  tags = var.tags
+}
+
+# AWS WAFv2 Web ACL
+resource "aws_wafv2_web_acl" "main" {
+  name        = "${local.name}-web-acl"
+  description = "WAF Web ACL for ${local.name}"
+  scope       = "REGIONAL"
+
+  default_action {
+    allow {}
+  }
+
+  # AWS Managed Rules - Core Rule Set
+  rule {
+    name     = "AWSManagedRulesCommonRuleSet"
+    priority = 1
+
+    override_action {
+      none {}
+    }
+
+    statement {
+      managed_rule_group_statement {
+        name        = "AWSManagedRulesCommonRuleSet"
+        vendor_name = "AWS"
+      }
+    }
+
+    visibility_config {
+      cloudwatch_metrics_enabled = true
+      metric_name                = "AWSManagedRulesCommonRuleSetMetric"
+      sampled_requests_enabled   = true
+    }
+  }
+
+  # AWS Managed Rules - Known Bad Inputs
+  rule {
+    name     = "AWSManagedRulesKnownBadInputsRuleSet"
+    priority = 2
+
+    override_action {
+      none {}
+    }
+
+    statement {
+      managed_rule_group_statement {
+        name        = "AWSManagedRulesKnownBadInputsRuleSet"
+        vendor_name = "AWS"
+      }
+    }
+
+    visibility_config {
+      cloudwatch_metrics_enabled = true
+      metric_name                = "AWSManagedRulesKnownBadInputsRuleSetMetric"
+      sampled_requests_enabled   = true
+    }
+  }
+
+  # Rate Limiting Rule
+  rule {
+    name     = "RateLimitRule"
+    priority = 3
+
+    action {
+      block {}
+    }
+
+    statement {
+      rate_based_statement {
+        limit              = var.rate_limit_requests_per_5_minutes
+        aggregate_key_type = "IP"
+      }
+    }
+
+    visibility_config {
+      cloudwatch_metrics_enabled = true
+      metric_name                = "RateLimitRuleMetric"
+      sampled_requests_enabled   = true
+    }
+  }
+
+  # Geo Restriction (if enabled)
+  dynamic "rule" {
+    for_each = length(var.geo_restriction_countries) > 0 ? [1] : []
+    content {
+      name     = "GeoRestrictionRule"
+      priority = 4
+
+      action {
+        block {}
+      }
+
+      statement {
+        geo_match_statement {
+          country_codes = var.geo_restriction_countries
+        }
+      }
+
+      visibility_config {
+        cloudwatch_metrics_enabled = true
+        metric_name                = "GeoRestrictionRuleMetric"
+        sampled_requests_enabled   = true
+      }
+    }
+  }
+
+  # IP Rate Limiting for specific paths (API protection)
+  rule {
+    name     = "APIRateLimitRule"
+    priority = 5
+
+    action {
+      block {}
+    }
+
+    statement {
+      rate_based_statement {
+        limit              = var.api_rate_limit_requests_per_5_minutes
+        aggregate_key_type = "IP"
+      }
+    }
+
+    visibility_config {
+      cloudwatch_metrics_enabled = true
+      metric_name                = "APIRateLimitRuleMetric"
+      sampled_requests_enabled   = true
+    }
+  }
+
+  # SQL Injection Protection
+  rule {
+    name     = "AWSManagedRulesSQLiRuleSet"
+    priority = 6
+
+    override_action {
+      none {}
+    }
+
+    statement {
+      managed_rule_group_statement {
+        name        = "AWSManagedRulesSQLiRuleSet"
+        vendor_name = "AWS"
+      }
+    }
+
+    visibility_config {
+      cloudwatch_metrics_enabled = true
+      metric_name                = "AWSManagedRulesSQLiRuleSetMetric"
+      sampled_requests_enabled   = true
+    }
+  }
+
+  # XSS Protection
+  rule {
+    name     = "AWSManagedRulesAnonymousIpList"
+    priority = 7
+
+    override_action {
+      none {}
+    }
+
+    statement {
+      managed_rule_group_statement {
+        name        = "AWSManagedRulesAnonymousIpList"
+        vendor_name = "AWS"
+      }
+    }
+
+    visibility_config {
+      cloudwatch_metrics_enabled = true
+      metric_name                = "AWSManagedRulesAnonymousIpListMetric"
+      sampled_requests_enabled   = true
+    }
+  }
+
+  visibility_config {
+    cloudwatch_metrics_enabled = true
+    metric_name                = "${local.name}WebACLMetric"
+    sampled_requests_enabled   = true
+  }
+
+  tags = local.tags
+}
+
+# WAF Logging Configuration (simplified - just CloudWatch)
+resource "aws_cloudwatch_log_group" "waf_logs" {
+  count             = var.enable_logging ? 1 : 0
+  name              = "/aws/waf/${local.name}"
+  retention_in_days = var.log_retention_days
+
+  tags = local.tags
+}

deployment/terraform/modules/aws/waf/outputs.tf

@@ -0,0 +1,19 @@
+output "web_acl_arn" {
+  description = "ARN of the WAF Web ACL"
+  value       = aws_wafv2_web_acl.main.arn
+}
+
+output "web_acl_id" {
+  description = "ID of the WAF Web ACL"
+  value       = aws_wafv2_web_acl.main.id
+}
+
+output "web_acl_name" {
+  description = "Name of the WAF Web ACL"
+  value       = aws_wafv2_web_acl.main.name
+}
+
+output "log_group_name" {
+  description = "Name of the CloudWatch log group for WAF logs"
+  value       = var.enable_logging ? aws_cloudwatch_log_group.waf_logs[0].name : null
+}

deployment/terraform/modules/aws/waf/variables.tf

@@ -0,0 +1,40 @@
+variable "name" {
+  type        = string
+  description = "Name prefix for WAF resources"
+}
+
+variable "tags" {
+  type        = map(string)
+  description = "Tags to apply to all WAF resources"
+  default     = {}
+}
+
+variable "rate_limit_requests_per_5_minutes" {
+  type        = number
+  description = "Rate limit for requests per 5 minutes per IP address"
+  default     = 2000
+}
+
+variable "api_rate_limit_requests_per_5_minutes" {
+  type        = number
+  description = "Rate limit for API requests per 5 minutes per IP address"
+  default     = 1000
+}
+
+variable "geo_restriction_countries" {
+  type        = list(string)
+  description = "List of country codes to block. Leave empty to disable geo restrictions"
+  default     = []
+}
+
+variable "enable_logging" {
+  type        = bool
+  description = "Enable WAF logging to S3"
+  default     = true
+}
+
+variable "log_retention_days" {
+  type        = number
+  description = "Number of days to retain WAF logs"
+  default     = 90
+}