Merge branch 'main' into check-status-code

docker-compose/ssp/metadata/saml20-idp-hosted.php

@@ -33,7 +33,6 @@
             'idBrokerAssertValidIp' => Env::get('ID_BROKER_ASSERT_VALID_IP'),
             'idBrokerBaseUri' => Env::get('ID_BROKER_BASE_URI'),
             'idBrokerTrustedIpRanges' => Env::get('ID_BROKER_TRUSTED_IP_RANGES'),
-            'mfaLearnMoreUrl' => Env::get('MFA_LEARN_MORE_URL'),
             'mfaSetupUrl' => Env::get('MFA_SETUP_URL'),
             'loggerClass' => Psr3SamlLogger::class,
         ],
@@ -50,6 +49,7 @@
         30 => [
             'class' => 'profilereview:ProfileReview',
             'employeeIdAttr' => 'employeeNumber',
+            'mfaLearnMoreUrl' => Env::get('MFA_LEARN_MORE_URL'),
             'profileUrl' => Env::get('PROFILE_URL'),
             'loggerClass' => Psr3SamlLogger::class,
         ],

terraform/010-cluster/README.md

@@ -10,6 +10,9 @@ ssl certificate, core application load balancer, and a CloudWatch log group
  - Locate ACM certificate for use in ALB listeners
  - Create application load balancer (ALB)
  - Create CloudWatch log group
+ - Optionally create a Cloudwatch dashboard
+ - Optionally create a NAT gateway
+ - Create a Cloudflare rule to allow access to the NAT gateway (if enabled)
 
 ## Required Inputs
 

terraform/010-cluster/main.tf

@@ -114,7 +114,7 @@ resource "aws_cloudwatch_log_group" "logs" {
  * Create CloudWatch Dashboard for services that will be in this cluster
  */
 module "ecs-service-cloudwatch-dashboard" {
-  count = var.create_dashboard ? 1 : 0
+  count = var.create_dashboard && var.cloudflare_domain != "" ? 1 : 0
 
   source  = "silinternational/ecs-service-cloudwatch-dashboard/aws"
   version = "~> 3.1"
@@ -136,3 +136,33 @@ module "ecs-service-cloudwatch-dashboard" {
 }
 
 data "aws_region" "current" {}
+
+
+resource "cloudflare_ruleset" "nat" {
+  count = var.create_nat_gateway ? 1 : 0
+
+  zone_id     = data.cloudflare_zone.this.id
+  name        = "Bypass bot protection"
+  description = "Skip super bot fight mode to ensure id-broker can access MFA API"
+  kind        = "zone"
+  phase       = "http_request_firewall_custom"
+
+  rules {
+    action      = "skip"
+    expression  = "(ip.src eq ${module.vpc.nat_gateway_ip})"
+    description = "${var.idp_name} NAT gateway skip bot protection"
+    enabled     = true
+    action_parameters {
+      phases = [
+        "http_request_sbfm"
+      ]
+    }
+    logging {
+      enabled = true
+    }
+  }
+}
+
+data "cloudflare_zone" "this" {
+  name = var.cloudflare_domain
+}

terraform/010-cluster/vars.tf

@@ -21,6 +21,12 @@ variable "cert_domain_name" {
   type = string
 }
 
+variable "cloudflare_domain" {
+  description = "The base domain name to be used for Cloudflare resources, e.g. example.net"
+  type        = string
+  default     = ""
+}
+
 variable "create_dashboard" {
   description = "Set to false to remove the Cloudwatch Dashboard"
   type        = bool

terraform/010-cluster/versions.tf

@@ -6,5 +6,12 @@ terraform {
       source  = "hashicorp/aws"
       version = ">= 4.0.0, < 6.0.0"
     }
+    cloudflare = {
+      source = "cloudflare/cloudflare"
+
+      // 4.39.0 deprecated cloudflare_record.value
+      // While waiting for version 5 to mature, we'll constrain to earlier versions.
+      version = ">= 2.0.0, < 4.39.0"
+    }
   }
 }

test/010-cluster.tf

@@ -6,6 +6,7 @@ module "cluster" {
   aws_instance             = { a = "b" }
   aws_zones                = [""]
   cert_domain_name         = ""
+  cloudflare_domain        = ""
   create_nat_gateway       = true
   ecs_cluster_name         = ""
   ecs_instance_profile_id  = ""