fix: Updated capacity of upload rule group to support more upload paths. (TBE-137) (#24)

- fix: Set rule groups to create new groups before destroying.
- fix: Use a suffix for rule groups.

Author: jamesiarmes

README.md

@@ -13,7 +13,7 @@ to match your desired configuration. For example, to create a new distribution
 
 ```hcl
 module "cloudfront_waf" {
-  source = "github.com/codeforamerica/tofu-modules-aws-cloudfront-waf?ref=1.8.0"
+  source = "github.com/codeforamerica/tofu-modules-aws-cloudfront-waf?ref=1.8.1"
 
   project     = "my-project"
   environment = "dev"
@@ -76,7 +76,7 @@ distribution at `www.my-project.org`, you could use the following:
 
 ```hcl
 module "cloudfront_waf" {
-  source = "github.com/codeforamerica/tofu-modules-aws-cloudfront-waf?ref=1.8.0"
+  source = "github.com/codeforamerica/tofu-modules-aws-cloudfront-waf?ref=1.8.1"
 
   project     = "my-project"
   environment = "dev"
@@ -91,7 +91,6 @@ module "cloudfront_waf" {
 
 ## Inputs
 
-
 | Name                 | Description                                                                                                               | Type           | Default       | Required |
 |----------------------|---------------------------------------------------------------------------------------------------------------------------|----------------|---------------|----------|
 | domain               | Primary domain for the distribution. The hosted zone for this domain should be in the same account.                       | `string`       | n/a           | yes      |
@@ -126,7 +125,7 @@ Simply specify the headers you want to add in a map. For example:
 
 ```hcl
 module "cloudfront_waf" {
-  source = "github.com/codeforamerica/tofu-modules-aws-cloudfront-waf?ref=1.8.0"
+  source = "github.com/codeforamerica/tofu-modules-aws-cloudfront-waf?ref=1.8.1"
 
   project     = "my-project"
   environment = "dev"
@@ -162,7 +161,7 @@ resource "aws_wafv2_ip_set" "security_scanners" {
 }
 
 module "cloudfront_waf" {
-  source = "github.com/codeforamerica/tofu-modules-aws-cloudfront-waf?ref=1.8.0"
+  source = "github.com/codeforamerica/tofu-modules-aws-cloudfront-waf?ref=1.8.1"
 
   project     = "my-project"
   environment = "staging"
@@ -201,7 +200,7 @@ For example, to rate limit requests to 300 over a 5-minute period:
 
 ```hcl
 module "cloudfront_waf" {
-  source = "github.com/codeforamerica/tofu-modules-aws-cloudfront-waf?ref=1.8.0"
+  source = "github.com/codeforamerica/tofu-modules-aws-cloudfront-waf?ref=1.8.1"
 
   project     = "my-project"
   environment = "staging"
@@ -247,7 +246,7 @@ ensure it comes after the common and SQLi rule sets.
 
 ```hcl
 module "cloudfront_waf" {
-  source = "github.com/codeforamerica/tofu-modules-aws-cloudfront-waf?ref=1.8.0"
+  source = "github.com/codeforamerica/tofu-modules-aws-cloudfront-waf?ref=1.8.1"
 
   project     = "my-project"
   environment = "staging"
@@ -289,7 +288,7 @@ conditions that must be met for the request to be allowed through.
 
 ```hcl
 module "cloudfront_waf" {
-  source = "github.com/codeforamerica/tofu-modules-aws-cloudfront-waf?ref=1.8.0"
+  source = "github.com/codeforamerica/tofu-modules-aws-cloudfront-waf?ref=1.8.1"
 
   project     = "my-project"
   environment = "staging"

uploads.tf

@@ -1,13 +1,13 @@
 resource "aws_wafv2_rule_group" "uploads" {
   for_each = length(var.upload_paths) > 0 ? toset(["this"]) : toset([])
 
-  name     = "${local.prefix}-waf-allow-uploads"
-  scope    = "CLOUDFRONT"
-  capacity = 11
+  name_prefix = "${local.prefix}-waf-uploads-"
+  scope       = "CLOUDFRONT"
+  capacity    = 9 * length(var.upload_paths)
 
   visibility_config {
     cloudwatch_metrics_enabled = true
-    metric_name                = "${local.prefix}-waf-allow-uploads"
+    metric_name                = "${local.prefix}-waf-uploads"
     sampled_requests_enabled   = true
   }
 
@@ -266,4 +266,8 @@ resource "aws_wafv2_rule_group" "uploads" {
       sampled_requests_enabled   = true
     }
   }
+
+  lifecycle {
+    create_before_destroy = true
+  }
 }

webhooks.tf

@@ -1,9 +1,9 @@
 resource "aws_wafv2_rule_group" "webhooks" {
   for_each = length(var.webhooks) > 0 ? toset(["this"]) : toset([])
 
-  name     = "${local.prefix}-webhooks"
-  scope    = "CLOUDFRONT"
-  capacity = 50
+  name_prefix = "${local.prefix}-webhooks"
+  scope       = "CLOUDFRONT"
+  capacity    = 50
 
   visibility_config {
     cloudwatch_metrics_enabled = true
@@ -208,4 +208,8 @@ resource "aws_wafv2_rule_group" "webhooks" {
       }
     }
   }
+
+  lifecycle {
+    create_before_destroy = true
+  }
 }