Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Waf labels #1637

Closed
wants to merge 9 commits into from
Closed

Waf labels #1637

wants to merge 9 commits into from

Conversation

ChrisMcGowan
Copy link
Contributor

Changes proposed in this pull request:

  • Make inputs to the logstash waf logging rule dynamic to handle more then one host
  • Update the apps listener rule to allow multi hostnames
  • Update label names

Notes

This change sets a label at the WAF layer to all internal logstash traffic so we can drop logging that specific WAF traffic to CloudWatch. We also then forward that traffic to a specific router pool

security considerations

n/a

@ChrisMcGowan ChrisMcGowan requested a review from a team April 18, 2024 15:00
markdboyd
markdboyd reviewed Apr 18, 2024
View reviewed changes
terraform/modules/cloudfoundry/elb_uaa.tf
single_header {
name = "host"
dynamic "rule" {
for_each = var.waf_hostnames_0
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
for_each = var.waf_hostnames_0
for_each = var.waf_drop_logs_hostnames

Can we rename to remove the 0 index since this is a list of values? And rename to make the use more obvious?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

let me work on that

markdboyd
markdboyd reviewed Apr 18, 2024
View reviewed changes
terraform/modules/cloudfoundry/elb_uaa.tf
statement {
or_statement {
dynamic "statement" {
for_each = var.waf_hostnames_0
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wait, is the nested for_each intentional here? With this code, I'd expect we'd get a separate rule for each hostname and three separate statements (combined with OR) within each rule

If the goal is to make the rules totally optional based on whether there are values in the variable, then rule needs to be dynamic. If the goal is just to have a dynamic set of statements within a rule that is always deployment, then statement here is the only thing that needs to be dynamic

@ChrisMcGowan ChrisMcGowan deleted the waf_labels branch April 18, 2024 15:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@markdboyd markdboyd markdboyd left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@ChrisMcGowan @markdboyd