Update WAF to support allowlists (#21448)

terraform/addons/waf-alb/main.tf

@@ -1,4 +1,9 @@
-resource "aws_wafv2_rule_group" "main" {
+locals {
+  default_action = var.waf_type == "blocklist" ? "block" : "allow"
+}
+
+resource "aws_wafv2_rule_group" "blocked" {
+  count    = var.waf_type == "blocklist" ? 1 : 0
   name     = var.name
   scope    = "REGIONAL"
   capacity = 2
@@ -34,7 +39,7 @@ resource "aws_wafv2_rule_group" "main" {
 
     statement {
       ip_set_reference_statement {
-        arn = aws_wafv2_ip_set.main.arn
+        arn = aws_wafv2_ip_set.blocked[0].arn
       }
     }
 
@@ -52,19 +57,61 @@ resource "aws_wafv2_rule_group" "main" {
   }
 }
 
-resource "aws_wafv2_ip_set" "main" {
+resource "aws_wafv2_ip_set" "blocked" {
+  count              = var.waf_type == "blocklist" ? 1 : 0
   name               = var.name
   scope              = "REGIONAL"
   ip_address_version = "IPV4"
   addresses          = var.blocked_addresses
 }
 
+resource "aws_wafv2_rule_group" "allowed" {
+  count    = var.waf_type == "allowlist" ? 1 : 0
+  name     = var.name
+  scope    = "REGIONAL"
+  capacity = 2
+
+  rule {
+    name     = "specific"
+    priority = 1
+
+    action {
+      allow {}
+    }
+
+    statement {
+      ip_set_reference_statement {
+        arn = aws_wafv2_ip_set.allowed[0].arn
+      }
+    }
+
+    visibility_config {
+      cloudwatch_metrics_enabled = false
+      metric_name                = var.name
+      sampled_requests_enabled   = false
+    }
+  }
+
+  visibility_config {
+    cloudwatch_metrics_enabled = false
+    metric_name                = var.name
+    sampled_requests_enabled   = false
+  }
+}
+
 resource "aws_wafv2_web_acl" "main" {
   name  = var.name
   scope = "REGIONAL"
 
   default_action {
-    allow {}
+    dynamic "block" {
+      for_each = var.waf_type == "allowlist" ? [true] : []
+      content {}
+    }
+    dynamic "allow" {
+      for_each = var.waf_type == "blocklist" ? [true] : []
+      content {}
+    }
   }
 
   rule {
@@ -77,7 +124,7 @@ resource "aws_wafv2_web_acl" "main" {
 
     statement {
       rule_group_reference_statement {
-        arn = aws_wafv2_rule_group.main.arn
+        arn = var.waf_type == "blocklist" ? aws_wafv2_rule_group.blocked[0].arn : aws_wafv2_rule_group.allowed[0].arn
       }
     }
 
@@ -95,6 +142,15 @@ resource "aws_wafv2_web_acl" "main" {
   }
 }
 
+resource "aws_wafv2_ip_set" "allowed" {
+  count              = var.waf_type == "allowlist" ? 1 : 0
+  name               = var.name
+  scope              = "REGIONAL"
+  ip_address_version = "IPV4"
+  addresses          = var.allowed_addresses
+}
+
+
 resource "aws_wafv2_web_acl_association" "main" {
   resource_arn = var.lb_arn
   web_acl_arn  = aws_wafv2_web_acl.main.arn

terraform/addons/waf-alb/variables.tf

@@ -2,6 +2,11 @@ variable "name" {}
 
 variable "lb_arn" {}
 
+variable "waf_type" {
+  type    = string
+  default = "blocklist"
+}
+
 variable "blocked_countries" {
   type    = list(string)
   default = ["BI", "BY", "CD", "CF", "CU", "IQ", "IR", "LB", "LY", "SD", "SO", "SS", "SY", "VE", "ZW", "RU"]
@@ -11,3 +16,8 @@ variable "blocked_addresses" {
   type    = list(string)
   default = []
 }
+
+variable "allowed_addresses" {
+  type    = list(string)
+  default = []
+}

terraform/byo-vpc/byo-db/byo-ecs/variables.tf

@@ -129,7 +129,6 @@ variable "fleet_config" {
     extra_iam_policies           = []
     extra_execution_iam_policies = []
     extra_secrets                = {}
-    security_groups              = null
     security_group_name          = "fleet"
     iam_role_arn                 = null
     repository_credentials       = ""