1fb7266469
- Introduced Aggregator.sol for Chainlink-compatible oracle functionality, including round-based updates and access control. - Added OracleWithCCIP.sol to extend Aggregator with CCIP cross-chain messaging capabilities. - Created .gitmodules to include OpenZeppelin contracts as a submodule. - Developed a comprehensive deployment guide in NEXT_STEPS_COMPLETE_GUIDE.md for Phase 2 and smart contract deployment. - Implemented Vite configuration for the orchestration portal, supporting both Vue and React frameworks. - Added server-side logic for the Multi-Cloud Orchestration Portal, including API endpoints for environment management and monitoring. - Created scripts for resource import and usage validation across non-US regions. - Added tests for CCIP error handling and integration to ensure robust functionality. - Included various new files and directories for the orchestration portal and deployment scripts.
92 lines
2.5 KiB
HCL
92 lines
2.5 KiB
HCL
# WAF Rules for Application Gateway
|
|
# Configures Web Application Firewall rules for security
|
|
|
|
resource "azurerm_web_application_firewall_policy" "main" {
|
|
name = "${var.cluster_name}-waf-policy"
|
|
resource_group_name = var.resource_group_name
|
|
location = var.location
|
|
|
|
# Policy settings
|
|
policy_settings {
|
|
enabled = true
|
|
mode = var.environment == "prod" ? "Prevention" : "Detection"
|
|
request_body_check = true
|
|
max_request_body_size_in_kb = 128
|
|
file_upload_limit_in_mb = 100
|
|
}
|
|
|
|
# Managed rules (use default OWASP + BotManager rule sets, no deprecated overrides)
|
|
managed_rules {
|
|
# OWASP Core Rule Set
|
|
managed_rule_set {
|
|
type = "OWASP"
|
|
version = "3.2"
|
|
}
|
|
|
|
# Bot Protection
|
|
managed_rule_set {
|
|
type = "Microsoft_BotManagerRuleSet"
|
|
version = "1.0"
|
|
}
|
|
}
|
|
|
|
# Custom rules
|
|
# Note: RateLimitRule requires group_by_user_session which may not be supported in current provider version
|
|
# Uncomment and configure when provider supports it, or use Azure Portal/CLI to configure rate limiting
|
|
# custom_rules {
|
|
# name = "BlockHighRateRequests"
|
|
# priority = 1
|
|
# rule_type = "RateLimitRule"
|
|
# action = "Block"
|
|
# rate_limit_threshold = 100
|
|
# }
|
|
|
|
# Custom rule to block suspicious IPs (only if IPs are provided)
|
|
# Note: If blocked_ips is empty, this rule is effectively disabled
|
|
dynamic "custom_rules" {
|
|
for_each = length(var.blocked_ips) > 0 ? [1] : []
|
|
content {
|
|
name = "BlockSuspiciousIPs"
|
|
priority = 2
|
|
rule_type = "MatchRule"
|
|
action = "Block"
|
|
|
|
match_conditions {
|
|
match_variables {
|
|
variable_name = "RemoteAddr"
|
|
}
|
|
operator = "IPMatch"
|
|
match_values = var.blocked_ips
|
|
negation_condition = false
|
|
}
|
|
}
|
|
}
|
|
|
|
custom_rules {
|
|
name = "AllowSpecificMethods"
|
|
priority = 3
|
|
rule_type = "MatchRule"
|
|
action = "Allow"
|
|
|
|
match_conditions {
|
|
match_variables {
|
|
variable_name = "RequestMethod"
|
|
}
|
|
operator = "Contains"
|
|
match_values = ["GET", "POST", "OPTIONS"]
|
|
negation_condition = false
|
|
}
|
|
}
|
|
}
|
|
|
|
# Variables
|
|
variable "blocked_ips" {
|
|
description = "List of IP addresses/CIDR blocks to block"
|
|
type = list(string)
|
|
default = []
|
|
}
|
|
|
|
# Variables environment, cluster_name, resource_group_name, and location
|
|
# are defined in variables.tf
|
|
|