navapbc · devin-ai-integration · Apr 17, 2025 · Apr 17, 2025 · Apr 17, 2025 · Apr 17, 2025
diff --git a/infra/app/app-config/env-config/variables.tf b/infra/app/app-config/env-config/variables.tf
@@ -43,6 +43,12 @@ variable "enable_notifications" {
   default     = false
 }
 
+variable "enable_waf" {
+  type        = bool
+  description = "Enables Web Application Firewall (WAF) protection for the application load balancer"
+  default     = true
+}
+
 variable "environment" {
   description = "name of the application environment (e.g. dev, staging, prod)"
   type        = string

diff --git a/infra/app/app-config/main.tf b/infra/app/app-config/main.tf
@@ -43,6 +43,11 @@ locals {
   # 2. Configures email notifications using AWS SES
   enable_notifications = true
 
+  # Whether or not the application should enable WAF for the load balancer.
+  # If enabled:
+  # 1. Creates an AWS WAF web ACL with AWSManagedRulesCommonRuleSet
+  enable_waf = true
+
   environment_configs = {
     dev     = module.dev_config
     staging = module.staging_config

diff --git a/infra/app/app-config/outputs.tf b/infra/app/app-config/outputs.tf
@@ -34,6 +34,10 @@ output "enable_notifications" {
   value = local.enable_notifications
 }
 
+output "enable_waf" {
+  value = local.enable_waf
+}
+
 output "shared_network_name" {
   value = local.shared_network_name
 }
diff --git a/infra/app/service/main.tf b/infra/app/service/main.tf
@@ -69,6 +69,7 @@ module "service" {
   domain_name     = module.domain.domain_name
   hosted_zone_id  = module.domain.hosted_zone_id
   certificate_arn = module.domain.certificate_arn
+  waf_arn         = module.app_config.enable_waf ? module.service.network.waf_arn : null
 
   cpu                      = local.service_config.cpu
   memory                   = local.service_config.memory

diff --git a/infra/modules/network/data/main.tf b/infra/modules/network/data/main.tf
@@ -42,3 +42,12 @@ data "aws_security_groups" "aws_services" {
     values = [data.aws_vpc.network.id]
   }
 }
+
+data "aws_wafv2_web_acl" "network" {
+  name  = module.interface.waf_acl_name
+  scope = "REGIONAL"
+}
+
+output "waf_arn" {
+  value = data.aws_wafv2_web_acl.network.arn
+}
diff --git a/infra/modules/network/interface/outputs.tf b/infra/modules/network/interface/outputs.tf
@@ -17,3 +17,7 @@ output "private_subnet_tags" {
 output "public_subnet_tags" {
   value = { subnet_type = "public" }
 }
+
+output "waf_acl_name" {
+  value = var.name
+}
diff --git a/infra/modules/network/resources/waf.tf b/infra/modules/network/resources/waf.tf
@@ -0,0 +1,89 @@
+resource "aws_wafv2_web_acl" "main" {
+  name        = module.interface.waf_acl_name
+  description = "WAF to protect application load balancers in the ${var.name} network"
+  scope       = "REGIONAL"
+
+  default_action {
+    allow {}
+  }
+
+  rule {
+    name     = "AWS-AWSManagedRulesCommonRuleSet"
+    priority = 1
+
+    override_action {
+      none {}
+    }
+
+    statement {
+      managed_rule_group_statement {
+        name        = "AWSManagedRulesCommonRuleSet"
+        vendor_name = "AWS"
+      }
+    }
+
+    visibility_config {
+      cloudwatch_metrics_enabled = true
+      metric_name                = "AWS-AWSManagedRulesCommonRuleSet"
+      sampled_requests_enabled   = true
+    }
+  }
+
+  rule {
+    name     = "AWS-AWSManagedRulesKnownBadInputsRuleSet"
+    priority = 2
+
+    override_action {
+      none {}
+    }
+
+    statement {
+      managed_rule_group_statement {
+        name        = "AWSManagedRulesKnownBadInputsRuleSet"
+        vendor_name = "AWS"
+      }
+    }
+
+    visibility_config {
+      cloudwatch_metrics_enabled = true
+      metric_name                = "AWS-AWSManagedRulesKnownBadInputsRuleSet"
+      sampled_requests_enabled   = true
+    }
+  }
+
+  visibility_config {
+    cloudwatch_metrics_enabled = true
+    metric_name                = "${var.name}-waf"
+    sampled_requests_enabled   = true
+  }
+
+  tags = {
+    Name = var.name
+  }
+}
+
+resource "aws_cloudwatch_log_group" "waf_logs" {
+  name              = "aws-waf-logs-${var.name}"
+  retention_in_days = 30
+  kms_key_id        = aws_kms_key.waf_logs.arn
+}
+
+resource "aws_kms_key" "waf_logs" {
+  description             = "KMS key for WAF logs encryption"
+  deletion_window_in_days = 7
+  enable_key_rotation     = true
+}
+
+resource "aws_kms_alias" "waf_logs" {
+  name          = "alias/${var.name}-waf-logs"
+  target_key_id = aws_kms_key.waf_logs.key_id
+}
+
+resource "aws_wafv2_web_acl_logging_configuration" "main" {
+  log_destination_configs = [aws_cloudwatch_log_group.waf_logs.arn]
+  resource_arn            = aws_wafv2_web_acl.main.arn
+}
+
+output "waf_arn" {
+  value = aws_wafv2_web_acl.main.arn
+}
diff --git a/infra/modules/service/variables.tf b/infra/modules/service/variables.tf
@@ -166,3 +166,9 @@ variable "ephemeral_write_volumes" {
   description = "A set of absolute paths in the container to be mounted as writable for the life of the task. These need to be declared with `VOLUME` instructions in the container build file."
   default     = []
 }
+
+variable "waf_arn" {
+  type        = string
+  description = "The ARN of the WAF ACL to associate with the load balancer"
+  default     = null
+}
diff --git a/infra/modules/service/waf.tf b/infra/modules/service/waf.tf
@@ -0,0 +1,5 @@
+resource "aws_wafv2_web_acl_association" "main" {
+  count        = var.waf_arn != null ? 1 : 0
+  resource_arn = aws_lb.alb.arn
+  web_acl_arn  = var.waf_arn
+}