Skip to content

Commit f6fb79d

Browse files
cweibelcweibel
committed
Adding GSA ipv6 cidr range to waf
1 parent 4932338 commit f6fb79d

File tree

5 files changed

+34
-2
lines changed

5 files changed

+34
-2
lines changed

ci/pipeline.yml

+3
Original file line numberDiff line numberDiff line change
@@ -736,6 +736,7 @@ jobs:
736736
TF_VAR_waf_drop_logs_hostnames: ((waf_drop_logs_hostnames))
737737
TF_VAR_logstash_hosts: ((development_logstash_hosts))
738738
TF_VAR_gsa_ip_range_ip_set_arn: ((gsa_ip_range_ip_set_arn))
739+
TF_VAR_gsa_ipv6_range_ip_set_arn: ((gsa_ipv6_range_ip_set_arn))
739740
TF_VAR_malicious_ja3_fingerprint_ids: ((malicious_ja3_fingerprint_ids))
740741
TF_VAR_api_data_gov_hosts_regex_pattern_arn: ((api_data_gov_hosts_regex_pattern_arn))
741742
TF_VAR_customer_whitelist_ip_ranges_set_arn: ((customer_whitelist_ip_ranges_set_arn))
@@ -984,6 +985,7 @@ jobs:
984985
TF_VAR_waf_drop_logs_hostnames: ((waf_drop_logs_hostnames))
985986
TF_VAR_logstash_hosts: ((staging_logstash_hosts))
986987
TF_VAR_gsa_ip_range_ip_set_arn: ((gsa_ip_range_ip_set_arn))
988+
TF_VAR_gsa_ipv6_range_ip_set_arn: ((gsa_ipv6_range_ip_set_arn))
987989
TF_VAR_malicious_ja3_fingerprint_ids: ((malicious_ja3_fingerprint_ids))
988990
TF_VAR_api_data_gov_hosts_regex_pattern_arn: ((api_data_gov_hosts_regex_pattern_arn))
989991
TF_VAR_customer_whitelist_ip_ranges_set_arn: ((customer_whitelist_ip_ranges_set_arn))
@@ -1231,6 +1233,7 @@ jobs:
12311233
TF_VAR_waf_drop_logs_hostnames: ((waf_drop_logs_hostnames))
12321234
TF_VAR_logstash_hosts: ((production_logstash_hosts))
12331235
TF_VAR_gsa_ip_range_ip_set_arn: ((gsa_ip_range_ip_set_arn))
1236+
TF_VAR_gsa_ipv6_range_ip_set_arn: ((gsa_ipv6_range_ip_set_arn))
12341237
TF_VAR_malicious_ja3_fingerprint_ids: ((malicious_ja3_fingerprint_ids))
12351238
TF_VAR_api_data_gov_hosts_regex_pattern_arn: ((api_data_gov_hosts_regex_pattern_arn))
12361239
TF_VAR_customer_whitelist_ip_ranges_set_arn: ((customer_whitelist_ip_ranges_set_arn))

terraform/modules/cloudfoundry/variables.tf

+6-1
Original file line numberDiff line numberDiff line change
@@ -194,7 +194,12 @@ variable "non_cdn_traffic_rate_limit_block_by_source_ip" {
194194

195195
variable "gsa_ip_range_ip_set_arn" {
196196
type = string
197-
description = "ARN of IP set identifying GSA IP CIDR ranges"
197+
description = "ARN of IP v4 set identifying GSA IP CIDR ranges"
198+
}
199+
200+
variable "gsa_ipv6_range_ip_set_arn" {
201+
type = string
202+
description = "ARN of IP v6 set identifying GSA IP CIDR ranges"
198203
}
199204

200205
variable "malicious_ja3_fingerprint_ids" {

terraform/modules/cloudfoundry/waf.tf

+18
Original file line numberDiff line numberDiff line change
@@ -415,6 +415,12 @@ resource "aws_wafv2_web_acl" "cf_uaa_waf_core" {
415415
}
416416
}
417417

418+
statement {
419+
ip_set_reference_statement {
420+
arn = var.gsa_ipv6_range_ip_set_arn
421+
}
422+
}
423+
418424
statement {
419425
ip_set_reference_statement {
420426
arn = var.customer_whitelist_source_ip_ranges_set_arn
@@ -445,6 +451,18 @@ resource "aws_wafv2_web_acl" "cf_uaa_waf_core" {
445451
}
446452
}
447453

454+
statement {
455+
ip_set_reference_statement {
456+
arn = var.gsa_ipv6_range_ip_set_arn
457+
458+
ip_set_forwarded_ip_config {
459+
header_name = var.forwarded_ip_header_name
460+
fallback_behavior = "NO_MATCH"
461+
position = "FIRST"
462+
}
463+
}
464+
}
465+
448466
statement {
449467
ip_set_reference_statement {
450468
arn = var.internal_vpc_cidrs_set_arn

terraform/stacks/main/stack.tf

+1
Original file line numberDiff line numberDiff line change
@@ -294,6 +294,7 @@ module "cf" {
294294

295295
## TODO: manage these IP sets in Terraform somewhere
296296
gsa_ip_range_ip_set_arn = var.gsa_ip_range_ip_set_arn
297+
gsa_ipv6_range_ip_set_arn = var.gsa_ipv6_range_ip_set_arn
297298
api_data_gov_hosts_regex_pattern_arn = var.api_data_gov_hosts_regex_pattern_arn
298299
customer_whitelist_ip_ranges_set_arn = var.customer_whitelist_ip_ranges_set_arn
299300
customer_whitelist_source_ip_ranges_set_arn = var.customer_whitelist_source_ip_ranges_set_arn

terraform/stacks/main/variables.tf

+6-1
Original file line numberDiff line numberDiff line change
@@ -220,7 +220,12 @@ variable "logstash_hosts" {
220220

221221
variable "gsa_ip_range_ip_set_arn" {
222222
type = string
223-
description = "ARN of IP set identifying GSA IP CIDR ranges"
223+
description = "ARN of IP v4 set identifying GSA IP CIDR ranges"
224+
}
225+
226+
variable "gsa_ipv6_range_ip_set_arn" {
227+
type = string
228+
description = "ARN of IP v6 set identifying GSA IP CIDR ranges"
224229
}
225230

226231
variable "malicious_ja3_fingerprint_ids" {

0 commit comments

Comments
 (0)