diff --git a/package.json b/package.json index ae7a3006f5..1895093a6d 100644 --- a/package.json +++ b/package.json @@ -53,6 +53,7 @@ "yargs": "^16.1.1" }, "dependencies": { + "@enterprise-cmcs/serverless-waf-plugin": "^1.3.2", "xml2js": "0.6.0" }, "resolutions": { diff --git a/services/app-api/serverless.yml b/services/app-api/serverless.yml index 04749d6421..34338fe7dd 100644 --- a/services/app-api/serverless.yml +++ b/services/app-api/serverless.yml @@ -11,6 +11,7 @@ plugins: - serverless-plugin-typescript - serverless-plugin-warmup - serverless-associate-waf + - "@enterprise-cmcs/serverless-waf-plugin" - serverless-offline-ssm - serverless-offline - serverless-stack-termination-protection @@ -34,6 +35,8 @@ custom: tsConfigFileLocation: "./tsconfig.json" stage: ${opt:stage, self:provider.stage} region: ${opt:region, self:provider.region} + wafPlugin: + name: ${self:service}-${self:custom.stage}-webacl-waf serverlessTerminationProtection: stages: - master @@ -51,7 +54,7 @@ custom: measureTableStreamArn: ${env:DYNAMO_TABLE_ARN, cf:database-${self:custom.stage}.MeasureTableStreamArn} bannerTableName: ${env:bannerTableName, cf:database-${self:custom.stage}.BannerTableName} bannerTableArn: ${env:DYNAMO_TABLE_ARN, cf:database-${self:custom.stage}.BannerTableArn} - webAclName: ${self:service}-${self:custom.stage}-webacl + webAclName: ${self:service}-${self:custom.stage}-webacl-waf vpcId: ${ssm:/configuration/${self:custom.stage}/vpc/id, ssm:/configuration/default/vpc/id, ''} privateSubnets: - ${ssm:/configuration/${self:custom.stage}/vpc/subnets/private/a/id, ssm:/configuration/default/vpc/subnets/private/a/id, ''} @@ -309,35 +312,6 @@ resources: gatewayresponse.header.Access-Control-Allow-Headers: "'*'" ResponseType: DEFAULT_5XX RestApiId: !Ref ApiGatewayRestApi - ApiGwWebAcl: - Type: AWS::WAFv2::WebACL - Properties: - Name: ${self:custom.webAclName} - DefaultAction: - Block: {} - Rules: - - Action: - Allow: {} - Name: ${self:custom.webAclName}-allow-usa-plus-territories - Priority: 0 - Statement: - GeoMatchStatement: - CountryCodes: - - GU # Guam - - PR # Puerto Rico - - US # USA - - UM # US Minor Outlying Islands - - VI # US Virgin Islands - - MP # Northern Mariana Islands - VisibilityConfig: - SampledRequestsEnabled: true - CloudWatchMetricsEnabled: true - MetricName: WafWebAcl - Scope: REGIONAL - VisibilityConfig: - CloudWatchMetricsEnabled: true - SampledRequestsEnabled: true - MetricName: ${self:custom.stage}-webacl Outputs: ApiGatewayRestApiName: Value: !Ref ApiGatewayRestApi diff --git a/services/ui/package.json b/services/ui/package.json index dd977525f2..90324d6171 100644 --- a/services/ui/package.json +++ b/services/ui/package.json @@ -10,8 +10,5 @@ "license": "CC0-1.0", "devDependencies": { "serverless-s3-bucket-helper": "Enterprise-CMCS/serverless-s3-bucket-helper#0.1.1" - }, - "dependencies": { - "@enterprise-cmcs/serverless-waf-plugin": "^1.3.1" } } diff --git a/services/ui/yarn.lock b/services/ui/yarn.lock index a38b95ee47..8886796bb4 100644 --- a/services/ui/yarn.lock +++ b/services/ui/yarn.lock @@ -2,11 +2,6 @@ # yarn lockfile v1 -"@enterprise-cmcs/serverless-waf-plugin@^1.3.1": - version "1.3.2" - resolved "https://registry.yarnpkg.com/@enterprise-cmcs/serverless-waf-plugin/-/serverless-waf-plugin-1.3.2.tgz#66efd0b91326b7d1b045ab7ea7ba5826ed2e635d" - integrity sha512-577MWRddWK2uPEaeUMorOFQq6rhUhGwbdmz+tuKaU9+v77/bDQPqoc6cmhF2oYMswqpxvMgW0P07HAAcmKtquw== - serverless-s3-bucket-helper@Enterprise-CMCS/serverless-s3-bucket-helper#0.1.1: version "1.0.0" resolved "https://codeload.github.com/Enterprise-CMCS/serverless-s3-bucket-helper/tar.gz/f0f6d6a1ffe54e292f0afc93777764bce16a4037" diff --git a/yarn.lock b/yarn.lock index b4f7504ba7..adc85b2196 100644 --- a/yarn.lock +++ b/yarn.lock @@ -1766,6 +1766,11 @@ dependencies: "@jridgewell/trace-mapping" "0.3.9" +"@enterprise-cmcs/serverless-waf-plugin@^1.3.2": + version "1.3.2" + resolved "https://registry.yarnpkg.com/@enterprise-cmcs/serverless-waf-plugin/-/serverless-waf-plugin-1.3.2.tgz#66efd0b91326b7d1b045ab7ea7ba5826ed2e635d" + integrity sha512-577MWRddWK2uPEaeUMorOFQq6rhUhGwbdmz+tuKaU9+v77/bDQPqoc6cmhF2oYMswqpxvMgW0P07HAAcmKtquw== + "@eslint/eslintrc@^0.4.3": version "0.4.3" resolved "https://registry.yarnpkg.com/@eslint/eslintrc/-/eslintrc-0.4.3.tgz#9e42981ef035beb3dd49add17acb96e8ff6f394c"