diff --git a/docker-compose/ssp/metadata/saml20-idp-hosted.php b/docker-compose/ssp/metadata/saml20-idp-hosted.php index eff43138..36f2ccdf 100644 --- a/docker-compose/ssp/metadata/saml20-idp-hosted.php +++ b/docker-compose/ssp/metadata/saml20-idp-hosted.php @@ -33,7 +33,6 @@ 'idBrokerAssertValidIp' => Env::get('ID_BROKER_ASSERT_VALID_IP'), 'idBrokerBaseUri' => Env::get('ID_BROKER_BASE_URI'), 'idBrokerTrustedIpRanges' => Env::get('ID_BROKER_TRUSTED_IP_RANGES'), - 'mfaLearnMoreUrl' => Env::get('MFA_LEARN_MORE_URL'), 'mfaSetupUrl' => Env::get('MFA_SETUP_URL'), 'loggerClass' => Psr3SamlLogger::class, ], @@ -50,6 +49,7 @@ 30 => [ 'class' => 'profilereview:ProfileReview', 'employeeIdAttr' => 'employeeNumber', + 'mfaLearnMoreUrl' => Env::get('MFA_LEARN_MORE_URL'), 'profileUrl' => Env::get('PROFILE_URL'), 'loggerClass' => Psr3SamlLogger::class, ], diff --git a/terraform/010-cluster/README.md b/terraform/010-cluster/README.md index 6fa6bb95..23716da4 100644 --- a/terraform/010-cluster/README.md +++ b/terraform/010-cluster/README.md @@ -10,6 +10,9 @@ ssl certificate, core application load balancer, and a CloudWatch log group - Locate ACM certificate for use in ALB listeners - Create application load balancer (ALB) - Create CloudWatch log group + - Optionally create a Cloudwatch dashboard + - Optionally create a NAT gateway + - Create a Cloudflare rule to allow access to the NAT gateway (if enabled) ## Required Inputs diff --git a/terraform/010-cluster/main.tf b/terraform/010-cluster/main.tf index ce5df0a1..0af615e9 100644 --- a/terraform/010-cluster/main.tf +++ b/terraform/010-cluster/main.tf @@ -114,7 +114,7 @@ resource "aws_cloudwatch_log_group" "logs" { * Create CloudWatch Dashboard for services that will be in this cluster */ module "ecs-service-cloudwatch-dashboard" { - count = var.create_dashboard ? 1 : 0 + count = var.create_dashboard && var.cloudflare_domain != "" ? 1 : 0 source = "silinternational/ecs-service-cloudwatch-dashboard/aws" version = "~> 3.1" @@ -136,3 +136,33 @@ module "ecs-service-cloudwatch-dashboard" { } data "aws_region" "current" {} + + +resource "cloudflare_ruleset" "nat" { + count = var.create_nat_gateway ? 1 : 0 + + zone_id = data.cloudflare_zone.this.id + name = "Bypass bot protection" + description = "Skip super bot fight mode to ensure id-broker can access MFA API" + kind = "zone" + phase = "http_request_firewall_custom" + + rules { + action = "skip" + expression = "(ip.src eq ${module.vpc.nat_gateway_ip})" + description = "${var.idp_name} NAT gateway skip bot protection" + enabled = true + action_parameters { + phases = [ + "http_request_sbfm" + ] + } + logging { + enabled = true + } + } +} + +data "cloudflare_zone" "this" { + name = var.cloudflare_domain +} diff --git a/terraform/010-cluster/vars.tf b/terraform/010-cluster/vars.tf index 0c0f34c3..14b1a621 100644 --- a/terraform/010-cluster/vars.tf +++ b/terraform/010-cluster/vars.tf @@ -21,6 +21,12 @@ variable "cert_domain_name" { type = string } +variable "cloudflare_domain" { + description = "The base domain name to be used for Cloudflare resources, e.g. example.net" + type = string + default = "" +} + variable "create_dashboard" { description = "Set to false to remove the Cloudwatch Dashboard" type = bool diff --git a/terraform/010-cluster/versions.tf b/terraform/010-cluster/versions.tf index f6615c50..b5d9dd92 100644 --- a/terraform/010-cluster/versions.tf +++ b/terraform/010-cluster/versions.tf @@ -6,5 +6,12 @@ terraform { source = "hashicorp/aws" version = ">= 4.0.0, < 6.0.0" } + cloudflare = { + source = "cloudflare/cloudflare" + + // 4.39.0 deprecated cloudflare_record.value + // While waiting for version 5 to mature, we'll constrain to earlier versions. + version = ">= 2.0.0, < 4.39.0" + } } } diff --git a/test/010-cluster.tf b/test/010-cluster.tf index 3630c03a..c77aa427 100644 --- a/test/010-cluster.tf +++ b/test/010-cluster.tf @@ -6,6 +6,7 @@ module "cluster" { aws_instance = { a = "b" } aws_zones = [""] cert_domain_name = "" + cloudflare_domain = "" create_nat_gateway = true ecs_cluster_name = "" ecs_instance_profile_id = ""