From c8cfda8b2696a7c78f38c6d4b4e88b4859486592 Mon Sep 17 00:00:00 2001 From: Jacob Coffee Date: Tue, 10 Sep 2024 12:13:10 -0500 Subject: [PATCH 01/12] feat: add ngwaf with successful tfplan --- infra/.terraform.lock.hcl | 22 ++++++ infra/cdn/README.md | 26 ++++++- infra/cdn/main.tf | 20 ++++++ infra/cdn/ngwaf.tf | 140 ++++++++++++++++++++++++++++++++++++++ infra/cdn/providers.tf | 8 +++ infra/cdn/variables.tf | 36 +++++++++- infra/cdn/versions.tf | 4 ++ infra/main.tf | 18 +++-- infra/variables.tf | 7 +- 9 files changed, 274 insertions(+), 7 deletions(-) create mode 100644 infra/cdn/ngwaf.tf diff --git a/infra/.terraform.lock.hcl b/infra/.terraform.lock.hcl index 165cd9357..5844f52bd 100644 --- a/infra/.terraform.lock.hcl +++ b/infra/.terraform.lock.hcl @@ -22,3 +22,25 @@ provider "registry.terraform.io/fastly/fastly" { "zh:ec8d899cafd925d3492f00c6523c90599aebc43c1373ad4bd6c55f12d2376230", ] } + +provider "registry.terraform.io/signalsciences/sigsci" { + version = "3.3.0" + constraints = "3.3.0" + hashes = [ + "h1:DIoFVzfofY8lQSxFTw9wmQQC28PPMq+5l3xbPNw9gLc=", + "zh:07c25e1cca9c13314429a8430c2e999ad94c7d5e2f2a11501ee2608182387e61", + "zh:07daf79b672f3e0bec7b48e3ac8dcdeec02af06b10d653bd8158a74236b0746b", + "zh:1e24a050c3d3571ec3224c4bb5c82635caf636e707b5993a1cc97c9a1f19fa8f", + "zh:24293ae24b3de13bda8512c47967f01814724805396a1bfbfbfc56f5627615cc", + "zh:2cc6ba7a38d9854146d1d05f4b7a2f8e18a33c1267b768506cbe37168dad01dc", + "zh:42065bfee0cfde04096d6140c65379253359bed49b481a97aff70aa65bf568b3", + "zh:6f7f4d96967dfd92f098b57647d396679b70d92548db6d100c4dc8723569d175", + "zh:a2e4431f045cef16ed152c0d1f8a377b6468351b775ad1ca7ce3fe74fb874be2", + "zh:b0ed1cb03d6f191fe211f10bb59ef8daed6f89e3d99136e7bb5d38f2ac72fa45", + "zh:b61ea18442a65d27b97dd1cd43bdd8d0a56c2b4b8db6355480e89f8507c6782a", + "zh:c31bb2f50ac2a636758f93afec0b9d173be6d7d7476f9e250b4554e70c6d8d82", + "zh:cb7337f7b4678ad7ece28741069c07ce5601d2a103a9667db568cf10ed0ee5a2", + "zh:d521a7dac51733aebb0905e25b8f7c1279d83c06136e87826e010c667528fd3e", + "zh:ef791688acee3b8b1191b3c6dc54dabf69612dbfb666720280b492ce348a3a06", + ] +} diff --git a/infra/cdn/README.md b/infra/cdn/README.md index 6ebe5a637..0a4488fb4 100644 --- a/infra/cdn/README.md +++ b/infra/cdn/README.md @@ -30,4 +30,28 @@ N/A Tested on - Tested on Terraform 1.8.5 -- Fastly provider 5.13.0 \ No newline at end of file +- Fastly provider 5.13.0 + +# Fastly's NGWAF + +This module also conditionally can set up the Fastly Next-Gen Web Application Firewall (NGWAF) +for our Fastly services related to python.org / test.python.org. + +## Usage + +```hcl +module "fastly_production" { + source = "./cdn" + + ... + enable_ngwaf = true + ... +} +``` + +## Requirements + +Tested on +- Terraform 1.8.5 +- Fastly provider 5.13.0 +- SigSci provider 3.3.0 \ No newline at end of file diff --git a/infra/cdn/main.tf b/infra/cdn/main.tf index 12d1fbba4..0fdb5f831 100644 --- a/infra/cdn/main.tf +++ b/infra/cdn/main.tf @@ -343,3 +343,23 @@ resource "fastly_service_vcl" "python_org" { status = 403 } } + +output "service_id" { + value = fastly_service_vcl.python_org.id + description = "The ID of the Fastly service" +} + +output "backend_address" { + value = var.backend_address + description = "The backend address for the service." +} + +output "service_name" { + value = var.name + description = "The name of the Fastly service" +} + +output "domain" { + value = var.domain + description = "The domain of the Fastly service" +} diff --git a/infra/cdn/ngwaf.tf b/infra/cdn/ngwaf.tf new file mode 100644 index 000000000..3a8c24b5c --- /dev/null +++ b/infra/cdn/ngwaf.tf @@ -0,0 +1,140 @@ +resource "fastly_service_vcl" "ngwaf_service" { + count = var.activate_ngwaf_service ? 1 : 0 + name = "${var.name}-ngwaf" + activate = var.activate_ngwaf_service + + domain { + name = var.domain + comment = "NGWAF domain" + } + + backend { + address = var.backend_address + name = "ngwaf_backend" + port = 443 + use_ssl = true + ssl_cert_hostname = var.backend_address + ssl_sni_hostname = var.backend_address + override_host = var.backend_address + } + + # NGWAF Dynamic Snippets + dynamicsnippet { + name = "ngwaf_config_init" + type = "init" + priority = 0 + } + + dynamicsnippet { + name = "ngwaf_config_miss" + type = "miss" + priority = 9000 + } + + dynamicsnippet { + name = "ngwaf_config_pass" + type = "pass" + priority = 9000 + } + + dynamicsnippet { + name = "ngwaf_config_deliver" + type = "deliver" + priority = 9000 + } + + dictionary { + name = var.edge_security_dictionary + } + + product_enablement { + bot_management = true + } + + lifecycle { + ignore_changes = [product_enablement] + } +} + +output "ngwaf_service_id" { + value = var.activate_ngwaf_service ? fastly_service_vcl.ngwaf_service[0].id : null +} + +# Fastly Service Dictionary Items +resource "fastly_service_dictionary_items" "edge_security_dictionary_items" { + count = var.activate_ngwaf_service ? 1 : 0 + service_id = fastly_service_vcl.ngwaf_service[0].id + dictionary_id = [for d in fastly_service_vcl.ngwaf_service[0].dictionary : d.dictionary_id if d.name == var.edge_security_dictionary][0] + items = { + Enabled : "100" + } +} + +# Fastly Service Dynamic Snippet Contents +resource "fastly_service_dynamic_snippet_content" "ngwaf_config_init" { + count = var.activate_ngwaf_service ? 1 : 0 + service_id = fastly_service_vcl.ngwaf_service[0].id + snippet_id = [for d in fastly_service_vcl.ngwaf_service[0].dynamicsnippet : d.snippet_id if d.name == "ngwaf_config_init"][0] + content = "### Fastly managed ngwaf_config_init" + manage_snippets = false +} + +resource "fastly_service_dynamic_snippet_content" "ngwaf_config_miss" { + count = var.activate_ngwaf_service ? 1 : 0 + service_id = fastly_service_vcl.ngwaf_service[0].id + snippet_id = [for d in fastly_service_vcl.ngwaf_service[0].dynamicsnippet : d.snippet_id if d.name == "ngwaf_config_miss"][0] + content = "### Fastly managed ngwaf_config_miss" + manage_snippets = false +} + +resource "fastly_service_dynamic_snippet_content" "ngwaf_config_pass" { + count = var.activate_ngwaf_service ? 1 : 0 + service_id = fastly_service_vcl.ngwaf_service[0].id + snippet_id = [for d in fastly_service_vcl.ngwaf_service[0].dynamicsnippet : d.snippet_id if d.name == "ngwaf_config_pass"][0] + content = "### Fastly managed ngwaf_config_pass" + manage_snippets = false +} + +resource "fastly_service_dynamic_snippet_content" "ngwaf_config_deliver" { + count = var.activate_ngwaf_service ? 1 : 0 + service_id = fastly_service_vcl.ngwaf_service[0].id + snippet_id = [for d in fastly_service_vcl.ngwaf_service[0].dynamicsnippet : d.snippet_id if d.name == "ngwaf_config_deliver"][0] + content = "### Fastly managed ngwaf_config_deliver" + manage_snippets = false +} + +# NGWAF Edge Deployment on SignalSciences.net +resource "sigsci_edge_deployment" "ngwaf_edge_site_service" { + count = var.activate_ngwaf_service ? 1 : 0 + provider = sigsci.firewall + site_short_name = var.ngwaf_site_name +} + +resource "sigsci_edge_deployment_service" "ngwaf_edge_service_link" { + count = var.activate_ngwaf_service ? 1 : 0 + provider = sigsci.firewall + site_short_name = var.ngwaf_site_name + fastly_sid = fastly_service_vcl.ngwaf_service[0].id + activate_version = var.activate_ngwaf_service + percent_enabled = 100 + depends_on = [ + sigsci_edge_deployment.ngwaf_edge_site_service, + fastly_service_vcl.ngwaf_service, + fastly_service_dictionary_items.edge_security_dictionary_items, + fastly_service_dynamic_snippet_content.ngwaf_config_init, + fastly_service_dynamic_snippet_content.ngwaf_config_miss, + fastly_service_dynamic_snippet_content.ngwaf_config_pass, + fastly_service_dynamic_snippet_content.ngwaf_config_deliver, + ] +} + +resource "sigsci_edge_deployment_service_backend" "ngwaf_edge_service_backend_sync" { + count = var.activate_ngwaf_service ? 1 : 0 + provider = sigsci.firewall + site_short_name = var.ngwaf_site_name + fastly_sid = fastly_service_vcl.ngwaf_service[0].id + fastly_service_vcl_active_version = fastly_service_vcl.ngwaf_service[0].active_version + depends_on = [ + sigsci_edge_deployment_service.ngwaf_edge_service_link, + ] +} diff --git a/infra/cdn/providers.tf b/infra/cdn/providers.tf index 201f5de4a..bdee7a807 100644 --- a/infra/cdn/providers.tf +++ b/infra/cdn/providers.tf @@ -2,3 +2,11 @@ provider "fastly" { alias = "cdn" api_key = var.fastly_key } + +provider "sigsci" { + alias = "firewall" + corp = var.ngwaf_corp_name + email = var.ngwaf_email + auth_token = var.ngwaf_token + fastly_api_key = var.fastly_key +} diff --git a/infra/cdn/variables.tf b/infra/cdn/variables.tf index 4cbf6db6e..5c1be4562 100644 --- a/infra/cdn/variables.tf +++ b/infra/cdn/variables.tf @@ -40,4 +40,38 @@ variable "backend_address" { variable "default_ttl" { type = number description = "The default TTL for the service." -} \ No newline at end of file +} + +## NGWAF +variable "activate_ngwaf_service" { + type = bool + description = "Whether to activate the NGWAF service." +} +variable "edge_security_dictionary" { + type = string + description = "The dictionary name for the Edge Security product." + default = "" +} +variable "ngwaf_corp_name" { + type = string + description = "Corp name for NGWAF" + default = "python" +} +variable "ngwaf_site_name" { + type = string + description = "Site SHORT name for NGWAF" + + validation { + condition = can(regex("^(test|stage|prod)$", var.ngwaf_site_name)) + error_message = "'ngwaf_site_name' must be one of the following: test, stage, or prod" + } +} +variable "ngwaf_email" { + type = string + description = "Email address associated with the token for the NGWAF API." +} +variable "ngwaf_token" { + type = string + description = "Secret token for the NGWAF API." + sensitive = true +} diff --git a/infra/cdn/versions.tf b/infra/cdn/versions.tf index da9c01f79..f8c137ba6 100644 --- a/infra/cdn/versions.tf +++ b/infra/cdn/versions.tf @@ -4,5 +4,9 @@ terraform { source = "fastly/fastly" version = "5.13.0" } + sigsci = { + source = "signalsciences/sigsci" + version = "3.3.0" + } } } diff --git a/infra/main.tf b/infra/main.tf index b3ec26a77..469d7eb02 100644 --- a/infra/main.tf +++ b/infra/main.tf @@ -12,15 +12,20 @@ module "fastly_production" { fastly_key = var.FASTLY_API_KEY fastly_header_token = var.FASTLY_HEADER_TOKEN s3_logging_keys = var.fastly_s3_logging + + ngwaf_site_name = "prod" + ngwaf_email = "jacob.coffee@pyfound.org" # TODO + ngwaf_token = var.ngwaf_token + activate_ngwaf_service = false } module "fastly_staging" { source = "./cdn" - name = "test.python.org" - domain = "test.python.org" - subdomain = "www.test.python.org" - extra_domains = ["www.test.python.org"] + name = "test.python.org" + domain = "test.python.org" + subdomain = "www.test.python.org" + extra_domains = ["www.test.python.org"] # TODO: adjust to test-pythondotorg when done testing NGWAF backend_address = "pythondotorg.ingress.us-east-2.psfhosted.computer" default_ttl = 3600 @@ -29,4 +34,9 @@ module "fastly_staging" { fastly_key = var.FASTLY_API_KEY fastly_header_token = var.FASTLY_HEADER_TOKEN s3_logging_keys = var.fastly_s3_logging + + ngwaf_site_name = "test" + ngwaf_email = "jacob.coffee@pyfound.org" # TODO + ngwaf_token = var.ngwaf_token + activate_ngwaf_service = true } diff --git a/infra/variables.tf b/infra/variables.tf index ec23b23ec..33fc1dda5 100644 --- a/infra/variables.tf +++ b/infra/variables.tf @@ -17,4 +17,9 @@ variable "fastly_s3_logging" { type = map(string) description = "S3 bucket keys for Fastly logging" sensitive = true -} \ No newline at end of file +} +variable "ngwaf_token" { + type = string + description = "Secret token for the NGWAF API." + sensitive = true +} From e782de1f6c1da947cf2b794692ee273bbf7dacf4 Mon Sep 17 00:00:00 2001 From: Jacob Coffee Date: Tue, 10 Sep 2024 12:14:49 -0500 Subject: [PATCH 02/12] docs: update to latest var name --- infra/cdn/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/cdn/README.md b/infra/cdn/README.md index 0a4488fb4..0ce474661 100644 --- a/infra/cdn/README.md +++ b/infra/cdn/README.md @@ -44,7 +44,7 @@ module "fastly_production" { source = "./cdn" ... - enable_ngwaf = true + activate_ngwaf_service = true ... } ``` From cd4c1462a42c162ebf2dff2fb8f7df68d7c3cd5f Mon Sep 17 00:00:00 2001 From: Jacob Coffee Date: Tue, 10 Sep 2024 12:16:36 -0500 Subject: [PATCH 03/12] chore: apply formatting --- infra/cdn/ngwaf.tf | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/infra/cdn/ngwaf.tf b/infra/cdn/ngwaf.tf index 3a8c24b5c..1323f7f0e 100644 --- a/infra/cdn/ngwaf.tf +++ b/infra/cdn/ngwaf.tf @@ -62,7 +62,7 @@ output "ngwaf_service_id" { # Fastly Service Dictionary Items resource "fastly_service_dictionary_items" "edge_security_dictionary_items" { - count = var.activate_ngwaf_service ? 1 : 0 + count = var.activate_ngwaf_service ? 1 : 0 service_id = fastly_service_vcl.ngwaf_service[0].id dictionary_id = [for d in fastly_service_vcl.ngwaf_service[0].dictionary : d.dictionary_id if d.name == var.edge_security_dictionary][0] items = { @@ -72,7 +72,7 @@ resource "fastly_service_dictionary_items" "edge_security_dictionary_items" { # Fastly Service Dynamic Snippet Contents resource "fastly_service_dynamic_snippet_content" "ngwaf_config_init" { - count = var.activate_ngwaf_service ? 1 : 0 + count = var.activate_ngwaf_service ? 1 : 0 service_id = fastly_service_vcl.ngwaf_service[0].id snippet_id = [for d in fastly_service_vcl.ngwaf_service[0].dynamicsnippet : d.snippet_id if d.name == "ngwaf_config_init"][0] content = "### Fastly managed ngwaf_config_init" @@ -80,7 +80,7 @@ resource "fastly_service_dynamic_snippet_content" "ngwaf_config_init" { } resource "fastly_service_dynamic_snippet_content" "ngwaf_config_miss" { - count = var.activate_ngwaf_service ? 1 : 0 + count = var.activate_ngwaf_service ? 1 : 0 service_id = fastly_service_vcl.ngwaf_service[0].id snippet_id = [for d in fastly_service_vcl.ngwaf_service[0].dynamicsnippet : d.snippet_id if d.name == "ngwaf_config_miss"][0] content = "### Fastly managed ngwaf_config_miss" @@ -88,7 +88,7 @@ resource "fastly_service_dynamic_snippet_content" "ngwaf_config_miss" { } resource "fastly_service_dynamic_snippet_content" "ngwaf_config_pass" { - count = var.activate_ngwaf_service ? 1 : 0 + count = var.activate_ngwaf_service ? 1 : 0 service_id = fastly_service_vcl.ngwaf_service[0].id snippet_id = [for d in fastly_service_vcl.ngwaf_service[0].dynamicsnippet : d.snippet_id if d.name == "ngwaf_config_pass"][0] content = "### Fastly managed ngwaf_config_pass" @@ -96,7 +96,7 @@ resource "fastly_service_dynamic_snippet_content" "ngwaf_config_pass" { } resource "fastly_service_dynamic_snippet_content" "ngwaf_config_deliver" { - count = var.activate_ngwaf_service ? 1 : 0 + count = var.activate_ngwaf_service ? 1 : 0 service_id = fastly_service_vcl.ngwaf_service[0].id snippet_id = [for d in fastly_service_vcl.ngwaf_service[0].dynamicsnippet : d.snippet_id if d.name == "ngwaf_config_deliver"][0] content = "### Fastly managed ngwaf_config_deliver" From 33da5a2746ff160b8c6aec4ad1fd7089857b2436 Mon Sep 17 00:00:00 2001 From: Jacob Coffee Date: Wed, 11 Sep 2024 13:50:27 -0500 Subject: [PATCH 04/12] feat: make ngwaf bits enabled via var --- infra/cdn/main.tf | 37 +++++++++++++++ infra/cdn/ngwaf.tf | 115 +++++---------------------------------------- 2 files changed, 50 insertions(+), 102 deletions(-) diff --git a/infra/cdn/main.tf b/infra/cdn/main.tf index 0fdb5f831..8f8ad4a18 100644 --- a/infra/cdn/main.tf +++ b/infra/cdn/main.tf @@ -342,6 +342,43 @@ resource "fastly_service_vcl" "python_org" { response = "Forbidden" status = 403 } + + # NGWAF Configuration + dictionary { + for_each = var.activate_ngwaf_service ? [1] : [] + name = var.edge_security_dictionary + } + + dynamicsnippet { + for_each = var.activate_ngwaf_service ? [1] : [] + name = "ngwaf_config_init" + type = "init" + priority = 0 + } + dynamicsnippet { + for_each = var.activate_ngwaf_service ? [1] : [] + name = "ngwaf_config_miss" + type = "miss" + priority = 9000 + } + dynamicsnippet { + for_each = var.activate_ngwaf_service ? [1] : [] + name = "ngwaf_config_pass" + type = "pass" + priority = 9000 + } + dynamicsnippet { + for_each = var.activate_ngwaf_service ? [1] : [] + name = "ngwaf_config_deliver" + type = "deliver" + priority = 9000 + } + + lifecycle { + ignore_changes = [ + product_enablement, + ] + } } output "service_id" { diff --git a/infra/cdn/ngwaf.tf b/infra/cdn/ngwaf.tf index 1323f7f0e..4b23d590c 100644 --- a/infra/cdn/ngwaf.tf +++ b/infra/cdn/ngwaf.tf @@ -1,105 +1,19 @@ -resource "fastly_service_vcl" "ngwaf_service" { - count = var.activate_ngwaf_service ? 1 : 0 - name = "${var.name}-ngwaf" - activate = var.activate_ngwaf_service - - domain { - name = var.domain - comment = "NGWAF domain" - } - - backend { - address = var.backend_address - name = "ngwaf_backend" - port = 443 - use_ssl = true - ssl_cert_hostname = var.backend_address - ssl_sni_hostname = var.backend_address - override_host = var.backend_address - } - - # NGWAF Dynamic Snippets - dynamicsnippet { - name = "ngwaf_config_init" - type = "init" - priority = 0 - } - - dynamicsnippet { - name = "ngwaf_config_miss" - type = "miss" - priority = 9000 - } - - dynamicsnippet { - name = "ngwaf_config_pass" - type = "pass" - priority = 9000 - } - - dynamicsnippet { - name = "ngwaf_config_deliver" - type = "deliver" - priority = 9000 - } - - dictionary { - name = var.edge_security_dictionary - } - - product_enablement { - bot_management = true - } - - lifecycle { - ignore_changes = [product_enablement] - } -} - -output "ngwaf_service_id" { - value = var.activate_ngwaf_service ? fastly_service_vcl.ngwaf_service[0].id : null -} - # Fastly Service Dictionary Items resource "fastly_service_dictionary_items" "edge_security_dictionary_items" { count = var.activate_ngwaf_service ? 1 : 0 - service_id = fastly_service_vcl.ngwaf_service[0].id - dictionary_id = [for d in fastly_service_vcl.ngwaf_service[0].dictionary : d.dictionary_id if d.name == var.edge_security_dictionary][0] + service_id = fastly_service_vcl.python_org.id + dictionary_id = one([for d in fastly_service_vcl.python_org.dictionary : d.dictionary_id if d.name == var.edge_security_dictionary]) items = { Enabled : "100" } } # Fastly Service Dynamic Snippet Contents -resource "fastly_service_dynamic_snippet_content" "ngwaf_config_init" { - count = var.activate_ngwaf_service ? 1 : 0 - service_id = fastly_service_vcl.ngwaf_service[0].id - snippet_id = [for d in fastly_service_vcl.ngwaf_service[0].dynamicsnippet : d.snippet_id if d.name == "ngwaf_config_init"][0] - content = "### Fastly managed ngwaf_config_init" - manage_snippets = false -} - -resource "fastly_service_dynamic_snippet_content" "ngwaf_config_miss" { - count = var.activate_ngwaf_service ? 1 : 0 - service_id = fastly_service_vcl.ngwaf_service[0].id - snippet_id = [for d in fastly_service_vcl.ngwaf_service[0].dynamicsnippet : d.snippet_id if d.name == "ngwaf_config_miss"][0] - content = "### Fastly managed ngwaf_config_miss" - manage_snippets = false -} - -resource "fastly_service_dynamic_snippet_content" "ngwaf_config_pass" { - count = var.activate_ngwaf_service ? 1 : 0 - service_id = fastly_service_vcl.ngwaf_service[0].id - snippet_id = [for d in fastly_service_vcl.ngwaf_service[0].dynamicsnippet : d.snippet_id if d.name == "ngwaf_config_pass"][0] - content = "### Fastly managed ngwaf_config_pass" - manage_snippets = false -} - -resource "fastly_service_dynamic_snippet_content" "ngwaf_config_deliver" { - count = var.activate_ngwaf_service ? 1 : 0 - service_id = fastly_service_vcl.ngwaf_service[0].id - snippet_id = [for d in fastly_service_vcl.ngwaf_service[0].dynamicsnippet : d.snippet_id if d.name == "ngwaf_config_deliver"][0] - content = "### Fastly managed ngwaf_config_deliver" +resource "fastly_service_dynamic_snippet_content" "ngwaf_config_snippets" { + for_each = var.activate_ngwaf_service ? toset(["init", "miss", "pass", "deliver"]) : [] + service_id = fastly_service_vcl.python_org.id + snippet_id = one([for d in fastly_service_vcl.python_org.dynamicsnippet : d.snippet_id if d.name == "ngwaf_config_${each.key}"]) + content = "### Terraform managed ngwaf_config_${each.key}" manage_snippets = false } @@ -114,17 +28,14 @@ resource "sigsci_edge_deployment_service" "ngwaf_edge_service_link" { count = var.activate_ngwaf_service ? 1 : 0 provider = sigsci.firewall site_short_name = var.ngwaf_site_name - fastly_sid = fastly_service_vcl.ngwaf_service[0].id - activate_version = var.activate_ngwaf_service + fastly_sid = fastly_service_vcl.python_org.id + activate_version = true percent_enabled = 100 depends_on = [ sigsci_edge_deployment.ngwaf_edge_site_service, - fastly_service_vcl.ngwaf_service, + fastly_service_vcl.python_org, fastly_service_dictionary_items.edge_security_dictionary_items, - fastly_service_dynamic_snippet_content.ngwaf_config_init, - fastly_service_dynamic_snippet_content.ngwaf_config_miss, - fastly_service_dynamic_snippet_content.ngwaf_config_pass, - fastly_service_dynamic_snippet_content.ngwaf_config_deliver, + fastly_service_dynamic_snippet_content.ngwaf_config_snippets, ] } @@ -132,8 +43,8 @@ resource "sigsci_edge_deployment_service_backend" "ngwaf_edge_service_backend_sy count = var.activate_ngwaf_service ? 1 : 0 provider = sigsci.firewall site_short_name = var.ngwaf_site_name - fastly_sid = fastly_service_vcl.ngwaf_service[0].id - fastly_service_vcl_active_version = fastly_service_vcl.ngwaf_service[0].active_version + fastly_sid = fastly_service_vcl.python_org.id + fastly_service_vcl_active_version = fastly_service_vcl.python_org.active_version depends_on = [ sigsci_edge_deployment_service.ngwaf_edge_service_link, ] From e8983758c6d9df678845ff156c3215b81aab9d18 Mon Sep 17 00:00:00 2001 From: Jacob Coffee Date: Wed, 11 Sep 2024 13:51:20 -0500 Subject: [PATCH 05/12] fix: use var fvor activation --- infra/cdn/ngwaf.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/cdn/ngwaf.tf b/infra/cdn/ngwaf.tf index 4b23d590c..3f5ca9aeb 100644 --- a/infra/cdn/ngwaf.tf +++ b/infra/cdn/ngwaf.tf @@ -29,7 +29,7 @@ resource "sigsci_edge_deployment_service" "ngwaf_edge_service_link" { provider = sigsci.firewall site_short_name = var.ngwaf_site_name fastly_sid = fastly_service_vcl.python_org.id - activate_version = true + activate_version = var.activate_ngwaf_service percent_enabled = 100 depends_on = [ sigsci_edge_deployment.ngwaf_edge_site_service, From ef7fbebfc37ab4cf118b72b060e5c825a1e0da22 Mon Sep 17 00:00:00 2001 From: Jacob Coffee Date: Wed, 11 Sep 2024 13:55:46 -0500 Subject: [PATCH 06/12] fix: fix invalid syntax --- infra/cdn/main.tf | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/infra/cdn/main.tf b/infra/cdn/main.tf index 8f8ad4a18..d1463b8ef 100644 --- a/infra/cdn/main.tf +++ b/infra/cdn/main.tf @@ -346,29 +346,28 @@ resource "fastly_service_vcl" "python_org" { # NGWAF Configuration dictionary { for_each = var.activate_ngwaf_service ? [1] : [] - name = var.edge_security_dictionary + name = var.edge_security_dictionary } dynamicsnippet { - for_each = var.activate_ngwaf_service ? [1] : [] name = "ngwaf_config_init" type = "init" priority = 0 } + dynamicsnippet { - for_each = var.activate_ngwaf_service ? [1] : [] name = "ngwaf_config_miss" type = "miss" priority = 9000 } + dynamicsnippet { - for_each = var.activate_ngwaf_service ? [1] : [] name = "ngwaf_config_pass" type = "pass" priority = 9000 } + dynamicsnippet { - for_each = var.activate_ngwaf_service ? [1] : [] name = "ngwaf_config_deliver" type = "deliver" priority = 9000 From e9a244279a8cecd0b532a694722cb8dce5391f18 Mon Sep 17 00:00:00 2001 From: Jacob Coffee Date: Wed, 11 Sep 2024 13:57:06 -0500 Subject: [PATCH 07/12] fix: fix invalid syntax again --- infra/cdn/main.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/infra/cdn/main.tf b/infra/cdn/main.tf index d1463b8ef..7dbd0959b 100644 --- a/infra/cdn/main.tf +++ b/infra/cdn/main.tf @@ -345,7 +345,6 @@ resource "fastly_service_vcl" "python_org" { # NGWAF Configuration dictionary { - for_each = var.activate_ngwaf_service ? [1] : [] name = var.edge_security_dictionary } From e99fe117b1aac9c2a846ddf8978f76c0fde68498 Mon Sep 17 00:00:00 2001 From: Jacob Coffee Date: Thu, 12 Sep 2024 12:05:40 -0500 Subject: [PATCH 08/12] chore: use service account --- infra/main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/infra/main.tf b/infra/main.tf index 469d7eb02..90c2ba9c5 100644 --- a/infra/main.tf +++ b/infra/main.tf @@ -14,7 +14,7 @@ module "fastly_production" { s3_logging_keys = var.fastly_s3_logging ngwaf_site_name = "prod" - ngwaf_email = "jacob.coffee@pyfound.org" # TODO + ngwaf_email = "infrastructure-staff@python.org" ngwaf_token = var.ngwaf_token activate_ngwaf_service = false } @@ -36,7 +36,7 @@ module "fastly_staging" { s3_logging_keys = var.fastly_s3_logging ngwaf_site_name = "test" - ngwaf_email = "jacob.coffee@pyfound.org" # TODO + ngwaf_email = "infrastructure-staff@python.org" ngwaf_token = var.ngwaf_token activate_ngwaf_service = true } From 30c7b18be597e162d5b968e7206cade14f24404d Mon Sep 17 00:00:00 2001 From: Jacob Coffee Date: Thu, 12 Sep 2024 12:07:20 -0500 Subject: [PATCH 09/12] chore: cleanup cruft --- infra/cdn/ngwaf.tf | 2 -- 1 file changed, 2 deletions(-) diff --git a/infra/cdn/ngwaf.tf b/infra/cdn/ngwaf.tf index 3f5ca9aeb..8ca3a61f6 100644 --- a/infra/cdn/ngwaf.tf +++ b/infra/cdn/ngwaf.tf @@ -1,4 +1,3 @@ -# Fastly Service Dictionary Items resource "fastly_service_dictionary_items" "edge_security_dictionary_items" { count = var.activate_ngwaf_service ? 1 : 0 service_id = fastly_service_vcl.python_org.id @@ -8,7 +7,6 @@ resource "fastly_service_dictionary_items" "edge_security_dictionary_items" { } } -# Fastly Service Dynamic Snippet Contents resource "fastly_service_dynamic_snippet_content" "ngwaf_config_snippets" { for_each = var.activate_ngwaf_service ? toset(["init", "miss", "pass", "deliver"]) : [] service_id = fastly_service_vcl.python_org.id From f55f20306e727b1551e4cc7d385a550b267cea2f Mon Sep 17 00:00:00 2001 From: Jacob Coffee Date: Thu, 12 Sep 2024 13:59:43 -0500 Subject: [PATCH 10/12] fix: apply patch for dynamic dynamic things --- infra/cdn/main.tf | 52 ++++++++++++++++++++++++++++++----------------- 1 file changed, 33 insertions(+), 19 deletions(-) diff --git a/infra/cdn/main.tf b/infra/cdn/main.tf index 7dbd0959b..eb6c6858c 100644 --- a/infra/cdn/main.tf +++ b/infra/cdn/main.tf @@ -343,33 +343,47 @@ resource "fastly_service_vcl" "python_org" { status = 403 } - # NGWAF Configuration - dictionary { - name = var.edge_security_dictionary + dynamic "dictionary" { + for_each = var.activate_ngwaf_service ? [1] : [] + content { + name = var.edge_security_dictionary + } } - dynamicsnippet { - name = "ngwaf_config_init" - type = "init" - priority = 0 + dynamic "dynamicsnippet" { + for_each = var.activate_ngwaf_service ? [1] : [] + content { + name = "ngwaf_config_init" + type = "init" + priority = 0 + } } - dynamicsnippet { - name = "ngwaf_config_miss" - type = "miss" - priority = 9000 + dynamic "dynamicsnippet" { + for_each = var.activate_ngwaf_service ? [1] : [] + content { + name = "ngwaf_config_miss" + type = "miss" + priority = 9000 + } } - dynamicsnippet { - name = "ngwaf_config_pass" - type = "pass" - priority = 9000 + dynamic "dynamicsnippet" { + for_each = var.activate_ngwaf_service ? [1] : [] + content { + name = "ngwaf_config_pass" + type = "pass" + priority = 9000 + } } - dynamicsnippet { - name = "ngwaf_config_deliver" - type = "deliver" - priority = 9000 + dynamic "dynamicsnippet" { + for_each = var.activate_ngwaf_service ? [1] : [] + content { + name = "ngwaf_config_deliver" + type = "deliver" + priority = 9000 + } } lifecycle { From b03a8de1bd5e0c889cc0374b78110668374522d8 Mon Sep 17 00:00:00 2001 From: Jacob Coffee Date: Thu, 12 Sep 2024 14:01:27 -0500 Subject: [PATCH 11/12] Update infra/cdn/README.md --- infra/cdn/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/cdn/README.md b/infra/cdn/README.md index 0ce474661..3aa36da75 100644 --- a/infra/cdn/README.md +++ b/infra/cdn/README.md @@ -29,7 +29,7 @@ N/A ## Requirements Tested on -- Tested on Terraform 1.8.5 +- Tested on Terraform 1.9.5 - Fastly provider 5.13.0 # Fastly's NGWAF From dde2e669772b179a54dc6fc0b002a83751c396c4 Mon Sep 17 00:00:00 2001 From: Jacob Coffee Date: Mon, 16 Sep 2024 09:41:32 -0500 Subject: [PATCH 12/12] Update infra/cdn/README.md --- infra/cdn/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/cdn/README.md b/infra/cdn/README.md index 3aa36da75..a667f63db 100644 --- a/infra/cdn/README.md +++ b/infra/cdn/README.md @@ -52,6 +52,6 @@ module "fastly_production" { ## Requirements Tested on -- Terraform 1.8.5 +- Terraform 1.9.5 - Fastly provider 5.13.0 - SigSci provider 3.3.0 \ No newline at end of file