Add WAF protection to application load balancers

[devin-ai-integration]

Add WAF Protection to Application Load Balancers

This PR adds Web Application Firewall (WAF) protection to the service layer by:

1. Adding a WAF resource to the network module
2. Adding WAF data source to the network data module
3. Adding WAF input to service module
4. Adding enable_waf config option to app-config (default: true)
5. Updating service root module to attach WAF if enabled

The WAF uses the AWS Managed Common Rule Set for baseline protection.

Test Results

Terraform will perform the following actions:

  # module.network.aws_wafv2_web_acl.main will be created
  + resource "aws_wafv2_web_acl" "main" {
      + arn         = (known after apply)
      + capacity    = (known after apply)
      + description = "WAF to protect application load balancers in the dev network"
      + id          = (known after apply)
      + lock_token  = (known after apply)
      + name        = "dev"
      + scope       = "REGIONAL"
      + tags        = {
          + "Name" = "dev"
        }
      + tags_all    = {
          + "Name"                = "dev"
          + "description"         = "VPC resources"
          + "network_name"        = "dev"
          + "owner"               = "platform-admins"
          + "project"             = "platform-test"
          + "repository"          = "git@github.com:navapbc/platform-test.git"
          + "terraform"           = "true"
          + "terraform_workspace" = "default"
        }

      + default_action {
          + allow {
            }
        }

      + rule {
          + name     = "AWS-AWSManagedRulesCommonRuleSet"
          + priority = 1

          + override_action {
              + none {}
            }

          + statement {
              + managed_rule_group_statement {
                  + name        = "AWSManagedRulesCommonRuleSet"
                  + vendor_name = "AWS"
                }
            }

          + visibility_config {
              + cloudwatch_metrics_enabled = true
              + metric_name                = "AWS-AWSManagedRulesCommonRuleSet"
              + sampled_requests_enabled   = true
            }
        }

      + visibility_config {
          + cloudwatch_metrics_enabled = true
          + metric_name                = "dev-waf"
          + sampled_requests_enabled   = true
        }
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Tested against preview environment to try to trigger XSS ruleset and compared with main endpoint:

curl -k "https://p-197-app-dev-142916550.us-east-1.elb.amazonaws.com/?search=<script>alert(1)</script>"

curl -k -X POST "https://p-197-app-dev-142916550.us-east-1.elb.amazonaws.com/" \
  -H "Content-Type: application/json" \
  -d '{"bad_input": "<script>alert(1)</script>"}'

Related

• Resolves issue noted in checkov:skip=CKV2_AWS_28:Implement WAF in issue #165

Link to Devin run: https://app.devin.ai/sessions/d3b02e5cf8194d24a1133291748ee2d5
Requested by: Loren Yu (loren@navapbc.com)

Preview environment for app-rails

♻️ Environment destroyed ♻️

Preview environment for app

♻️ Environment destroyed ♻️

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[lorenyu]

My mistake on the plan. Some changes:

1. Get rid of infra/app/service/network.tf
2. Replace the waf_arn input to infra/modules/service with an enable_waf input
3. In infra/modules/service/waf.tf, use module.network.waf_arn if enable_waf is true rather than var.enable_waf, since module.network already exists in infra/modules/service/networking.tf

[lorenyu]

Stick to the original plan. If you run into errors with the PR environment checks workflow don't try to fix it yourself, ask me for guidance instead.

[lorenyu]

@coilysiren could use another pair of eyes. This was mostly implemented by Devin. One thing to note is that the way it's implemented right now is you enable WAF for all environments or none.

[lorenyu]

Done in navapbc/template-infra#924