modify qmr api gateway waf to utilize the enterprise cmcs waf plugin (#…

…2045) Co-authored-by: dwhite_stratiform <[email protected]> Co-authored-by: dwhite_stratiform <[email protected]>
Enterprise-CMCS · Feb 1, 2024 · f376264 · f376264
1 parent 7973e54
commit f376264
Show file tree

Hide file tree

Showing 5 changed files with 10 additions and 38 deletions.
diff --git a/package.json b/package.json
@@ -53,6 +53,7 @@
     "yargs": "^16.1.1"
   },
   "dependencies": {
+    "@enterprise-cmcs/serverless-waf-plugin": "^1.3.2",
     "xml2js": "0.6.0"
   },
   "resolutions": {

diff --git a/services/app-api/serverless.yml b/services/app-api/serverless.yml
@@ -11,6 +11,7 @@ plugins:
   - serverless-plugin-typescript
   - serverless-plugin-warmup
   - serverless-associate-waf
+  - "@enterprise-cmcs/serverless-waf-plugin"
   - serverless-offline-ssm
   - serverless-offline
   - serverless-stack-termination-protection
@@ -34,6 +35,8 @@ custom:
     tsConfigFileLocation: "./tsconfig.json"
   stage: ${opt:stage, self:provider.stage}
   region: ${opt:region, self:provider.region}
+  wafPlugin:
+    name: ${self:service}-${self:custom.stage}-webacl-waf
   serverlessTerminationProtection:
     stages:
       - master
@@ -51,7 +54,7 @@ custom:
   measureTableStreamArn: ${env:DYNAMO_TABLE_ARN, cf:database-${self:custom.stage}.MeasureTableStreamArn}
   bannerTableName: ${env:bannerTableName, cf:database-${self:custom.stage}.BannerTableName}
   bannerTableArn: ${env:DYNAMO_TABLE_ARN, cf:database-${self:custom.stage}.BannerTableArn}
-  webAclName: ${self:service}-${self:custom.stage}-webacl
+  webAclName: ${self:service}-${self:custom.stage}-webacl-waf
   vpcId: ${ssm:/configuration/${self:custom.stage}/vpc/id, ssm:/configuration/default/vpc/id, ''}
   privateSubnets:
     - ${ssm:/configuration/${self:custom.stage}/vpc/subnets/private/a/id, ssm:/configuration/default/vpc/subnets/private/a/id, ''}
@@ -309,35 +312,6 @@ resources:
           gatewayresponse.header.Access-Control-Allow-Headers: "'*'"
         ResponseType: DEFAULT_5XX
         RestApiId: !Ref ApiGatewayRestApi
-    ApiGwWebAcl:
-      Type: AWS::WAFv2::WebACL
-      Properties:
-        Name: ${self:custom.webAclName}
-        DefaultAction:
-          Block: {}
-        Rules:
-          - Action:
-              Allow: {}
-            Name: ${self:custom.webAclName}-allow-usa-plus-territories
-            Priority: 0
-            Statement:
-              GeoMatchStatement:
-                CountryCodes:
-                  - GU # Guam
-                  - PR # Puerto Rico
-                  - US # USA
-                  - UM # US Minor Outlying Islands
-                  - VI # US Virgin Islands
-                  - MP # Northern Mariana Islands
-            VisibilityConfig:
-              SampledRequestsEnabled: true
-              CloudWatchMetricsEnabled: true
-              MetricName: WafWebAcl
-        Scope: REGIONAL
-        VisibilityConfig:
-          CloudWatchMetricsEnabled: true
-          SampledRequestsEnabled: true
-          MetricName: ${self:custom.stage}-webacl
   Outputs:
     ApiGatewayRestApiName:
       Value: !Ref ApiGatewayRestApi

diff --git a/services/ui/package.json b/services/ui/package.json
@@ -10,8 +10,5 @@
   "license": "CC0-1.0",
   "devDependencies": {
     "serverless-s3-bucket-helper": "Enterprise-CMCS/serverless-s3-bucket-helper#0.1.1"
-  },
-  "dependencies": {
-    "@enterprise-cmcs/serverless-waf-plugin": "^1.3.1"
   }
 }
diff --git a/services/ui/yarn.lock b/services/ui/yarn.lock
@@ -2,11 +2,6 @@
 # yarn lockfile v1
 
 
-"@enterprise-cmcs/serverless-waf-plugin@^1.3.1":
-  version "1.3.2"
-  resolved "https://registry.yarnpkg.com/@enterprise-cmcs/serverless-waf-plugin/-/serverless-waf-plugin-1.3.2.tgz#66efd0b91326b7d1b045ab7ea7ba5826ed2e635d"
-  integrity sha512-577MWRddWK2uPEaeUMorOFQq6rhUhGwbdmz+tuKaU9+v77/bDQPqoc6cmhF2oYMswqpxvMgW0P07HAAcmKtquw==
-
 serverless-s3-bucket-helper@Enterprise-CMCS/serverless-s3-bucket-helper#0.1.1:
   version "1.0.0"
   resolved "https://codeload.github.com/Enterprise-CMCS/serverless-s3-bucket-helper/tar.gz/f0f6d6a1ffe54e292f0afc93777764bce16a4037"
diff --git a/yarn.lock b/yarn.lock
@@ -1766,6 +1766,11 @@
   dependencies:
     "@jridgewell/trace-mapping" "0.3.9"
 
+"@enterprise-cmcs/serverless-waf-plugin@^1.3.2":
+  version "1.3.2"
+  resolved "https://registry.yarnpkg.com/@enterprise-cmcs/serverless-waf-plugin/-/serverless-waf-plugin-1.3.2.tgz#66efd0b91326b7d1b045ab7ea7ba5826ed2e635d"
+  integrity sha512-577MWRddWK2uPEaeUMorOFQq6rhUhGwbdmz+tuKaU9+v77/bDQPqoc6cmhF2oYMswqpxvMgW0P07HAAcmKtquw==
+
 "@eslint/eslintrc@^0.4.3":
   version "0.4.3"
   resolved "https://registry.yarnpkg.com/@eslint/eslintrc/-/eslintrc-0.4.3.tgz#9e42981ef035beb3dd49add17acb96e8ff6f394c"