Attach WAFv2 WebACL to on-demand API.

WarnerMedia · Jan 29, 2025 · 216b334 · 216b334
1 parent 0c72448
commit 216b334
Showing 1 changed file with 32 additions and 4 deletions.
diff --git a/orchestrator/terraform/modules/heimdall/api.tf b/orchestrator/terraform/modules/heimdall/api.tf
@@ -20,7 +20,7 @@ resource "aws_api_gateway_usage_plan" "org_queue_usage" {
 
   api_stages {
     api_id = aws_api_gateway_rest_api.on_demand_api.id
-    stage  = aws_api_gateway_deployment.on_demand_api.stage_name
+    stage  = var.api_stage
   }
 }
 
@@ -59,7 +59,7 @@ resource "aws_lambda_permission" "on_demand" {
   action        = "lambda:InvokeFunction"
   function_name = aws_lambda_function.org-queue.arn
   principal     = "apigateway.amazonaws.com"
-  source_arn    = "${aws_api_gateway_deployment.on_demand_api.execution_arn}/*/on_demand"
+  source_arn    = "${aws_api_gateway_stage.on_demand_api.execution_arn}/*/on_demand"
 }
 
 # Deployment
@@ -70,7 +70,35 @@ resource "aws_api_gateway_deployment" "on_demand_api" {
   ]
 
   rest_api_id = aws_api_gateway_rest_api.on_demand_api.id
-  stage_name  = var.api_stage
+}
+
+resource "aws_api_gateway_stage" "on_demand_api" {
+  deployment_id = aws_api_gateway_deployment.on_demand_api.id
+  rest_api_id   = aws_api_gateway_rest_api.on_demand_api.id
+  stage_name    = var.api_stage
+}
+
+resource "aws_wafv2_web_acl" "on_demand_api" {
+  name        = "${var.app}-on-demand-api-acl"
+  description = "ACL for ${var.app} On-Demand API"
+  scope       = "REGIONAL"
+
+  default_action {
+    allow {}
+  }
+
+  visibility_config {
+    cloudwatch_metrics_enabled = false
+    metric_name                = "${var.app}-on-demand-api-acl"
+    sampled_requests_enabled   = false
+  }
+
+  tags = var.tags
+}
+
+resource "aws_wafv2_web_acl_association" "on_demand_api" {
+  resource_arn = aws_api_gateway_stage.on_demand_api.arn
+  web_acl_arn  = aws_wafv2_web_acl.on_demand_api.arn
 }
 
 ###############################################################################
@@ -132,7 +160,7 @@ resource "aws_api_gateway_domain_name" "heimdall" {
 
 resource "aws_api_gateway_base_path_mapping" "on_demand" {
   api_id      = aws_api_gateway_rest_api.on_demand_api.id
-  stage_name  = aws_api_gateway_deployment.on_demand_api.stage_name
+  stage_name  = var.api_stage
   domain_name = aws_api_gateway_domain_name.heimdall.domain_name
   base_path   = "on_demand"
 }