From 96dbe1f5c51d8415b9747abbff2889c169cc0cd6 Mon Sep 17 00:00:00 2001
From: briskt <3172830+briskt@users.noreply.github.com>
Date: Tue, 29 Oct 2024 12:55:14 +0800
Subject: [PATCH 1/5] add a firewall rule to skip Super Bot Fight Mode for
 packets from NAT

---
 terraform/010-cluster/README.md   |  3 +++
 terraform/010-cluster/main.tf     | 30 ++++++++++++++++++++++++++++++
 terraform/010-cluster/vars.tf     |  5 +++++
 terraform/010-cluster/versions.tf |  7 +++++++
 test/010-cluster.tf               |  1 +
 5 files changed, 46 insertions(+)

diff --git a/terraform/010-cluster/README.md b/terraform/010-cluster/README.md
index 6fa6bb9..23716da 100644
--- a/terraform/010-cluster/README.md
+++ b/terraform/010-cluster/README.md
@@ -10,6 +10,9 @@ ssl certificate, core application load balancer, and a CloudWatch log group
  - Locate ACM certificate for use in ALB listeners
  - Create application load balancer (ALB)
  - Create CloudWatch log group
+ - Optionally create a Cloudwatch dashboard
+ - Optionally create a NAT gateway
+ - Create a Cloudflare rule to allow access to the NAT gateway (if enabled)
 
 ## Required Inputs
 
diff --git a/terraform/010-cluster/main.tf b/terraform/010-cluster/main.tf
index ce5df0a..295155d 100644
--- a/terraform/010-cluster/main.tf
+++ b/terraform/010-cluster/main.tf
@@ -136,3 +136,33 @@ module "ecs-service-cloudwatch-dashboard" {
 }
 
 data "aws_region" "current" {}
+
+
+resource "cloudflare_ruleset" "nat" {
+  count = var.create_nat_gateway ? 1 : 0
+
+  zone_id     = data.cloudflare_zone.this.id
+  name        = "Bypass bot protection"
+  description = "Skip super bot fight mode to ensure id-broker can access MFA API"
+  kind        = "zone"
+  phase       = "http_request_firewall_custom"
+
+  rules {
+    action      = "skip"
+    expression  = "(ip.src eq ${module.vpc.nat_gateway_ip})"
+    description = "skip outbound NAT gateway IP address"
+    enabled     = true
+    action_parameters {
+      phases = [
+        "http_request_sbfm"
+      ]
+    }
+    logging {
+      enabled = true
+    }
+  }
+}
+
+data "cloudflare_zone" "this" {
+  name = var.cloudflare_domain
+}
diff --git a/terraform/010-cluster/vars.tf b/terraform/010-cluster/vars.tf
index 0c0f34c..8ce253e 100644
--- a/terraform/010-cluster/vars.tf
+++ b/terraform/010-cluster/vars.tf
@@ -21,6 +21,11 @@ variable "cert_domain_name" {
   type = string
 }
 
+variable "cloudflare_domain" {
+  description = "The base domain name to be used for Cloudflare resources, e.g. example.net"
+  type        = string
+}
+
 variable "create_dashboard" {
   description = "Set to false to remove the Cloudwatch Dashboard"
   type        = bool
diff --git a/terraform/010-cluster/versions.tf b/terraform/010-cluster/versions.tf
index f6615c5..b5d9dd9 100644
--- a/terraform/010-cluster/versions.tf
+++ b/terraform/010-cluster/versions.tf
@@ -6,5 +6,12 @@ terraform {
       source  = "hashicorp/aws"
       version = ">= 4.0.0, < 6.0.0"
     }
+    cloudflare = {
+      source = "cloudflare/cloudflare"
+
+      // 4.39.0 deprecated cloudflare_record.value
+      // While waiting for version 5 to mature, we'll constrain to earlier versions.
+      version = ">= 2.0.0, < 4.39.0"
+    }
   }
 }
diff --git a/test/010-cluster.tf b/test/010-cluster.tf
index 3630c03..c77aa42 100644
--- a/test/010-cluster.tf
+++ b/test/010-cluster.tf
@@ -6,6 +6,7 @@ module "cluster" {
   aws_instance             = { a = "b" }
   aws_zones                = [""]
   cert_domain_name         = ""
+  cloudflare_domain        = ""
   create_nat_gateway       = true
   ecs_cluster_name         = ""
   ecs_instance_profile_id  = ""

From b16b15b07526a34c88bb2c946f7d9bfdf77a20dc Mon Sep 17 00:00:00 2001
From: briskt <3172830+briskt@users.noreply.github.com>
Date: Tue, 29 Oct 2024 12:56:41 +0800
Subject: [PATCH 2/5] make cloudflare_domain optional

---
 terraform/010-cluster/vars.tf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/terraform/010-cluster/vars.tf b/terraform/010-cluster/vars.tf
index 8ce253e..14b1a62 100644
--- a/terraform/010-cluster/vars.tf
+++ b/terraform/010-cluster/vars.tf
@@ -24,6 +24,7 @@ variable "cert_domain_name" {
 variable "cloudflare_domain" {
   description = "The base domain name to be used for Cloudflare resources, e.g. example.net"
   type        = string
+  default     = ""
 }
 
 variable "create_dashboard" {

From b4a6e9d355668e5dc5b785490da99401e34adf92 Mon Sep 17 00:00:00 2001
From: briskt <3172830+briskt@users.noreply.github.com>
Date: Tue, 29 Oct 2024 13:39:46 +0800
Subject: [PATCH 3/5] fix MFA_LEARN_MORE_URL placement

---
 docker-compose/ssp/metadata/saml20-idp-hosted.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker-compose/ssp/metadata/saml20-idp-hosted.php b/docker-compose/ssp/metadata/saml20-idp-hosted.php
index eff4313..36f2ccd 100644
--- a/docker-compose/ssp/metadata/saml20-idp-hosted.php
+++ b/docker-compose/ssp/metadata/saml20-idp-hosted.php
@@ -33,7 +33,6 @@
             'idBrokerAssertValidIp' => Env::get('ID_BROKER_ASSERT_VALID_IP'),
             'idBrokerBaseUri' => Env::get('ID_BROKER_BASE_URI'),
             'idBrokerTrustedIpRanges' => Env::get('ID_BROKER_TRUSTED_IP_RANGES'),
-            'mfaLearnMoreUrl' => Env::get('MFA_LEARN_MORE_URL'),
             'mfaSetupUrl' => Env::get('MFA_SETUP_URL'),
             'loggerClass' => Psr3SamlLogger::class,
         ],
@@ -50,6 +49,7 @@
         30 => [
             'class' => 'profilereview:ProfileReview',
             'employeeIdAttr' => 'employeeNumber',
+            'mfaLearnMoreUrl' => Env::get('MFA_LEARN_MORE_URL'),
             'profileUrl' => Env::get('PROFILE_URL'),
             'loggerClass' => Psr3SamlLogger::class,
         ],

From 72218a2cf5ed749ed78918378dc9c0ac49c693ca Mon Sep 17 00:00:00 2001
From: briskt <3172830+briskt@users.noreply.github.com>
Date: Wed, 30 Oct 2024 09:36:00 +0800
Subject: [PATCH 4/5] add check on cloudflare_domain to avoid plan fail

---
 terraform/010-cluster/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/terraform/010-cluster/main.tf b/terraform/010-cluster/main.tf
index 295155d..390d556 100644
--- a/terraform/010-cluster/main.tf
+++ b/terraform/010-cluster/main.tf
@@ -114,7 +114,7 @@ resource "aws_cloudwatch_log_group" "logs" {
  * Create CloudWatch Dashboard for services that will be in this cluster
  */
 module "ecs-service-cloudwatch-dashboard" {
-  count = var.create_dashboard ? 1 : 0
+  count = var.create_dashboard && var.cloudflare_domain != "" ? 1 : 0
 
   source  = "silinternational/ecs-service-cloudwatch-dashboard/aws"
   version = "~> 3.1"

From c5b7c5e315a76f5013eeb689c2571cfac91b762d Mon Sep 17 00:00:00 2001
From: briskt <3172830+briskt@users.noreply.github.com>
Date: Wed, 30 Oct 2024 14:17:57 +0800
Subject: [PATCH 5/5] try adding the idp name to the WAF rule to avoid error
 message

"A similar configuration with rules already exists and overwriting will have unintended consequences. "
---
 terraform/010-cluster/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/terraform/010-cluster/main.tf b/terraform/010-cluster/main.tf
index 390d556..0af615e 100644
--- a/terraform/010-cluster/main.tf
+++ b/terraform/010-cluster/main.tf
@@ -150,7 +150,7 @@ resource "cloudflare_ruleset" "nat" {
   rules {
     action      = "skip"
     expression  = "(ip.src eq ${module.vpc.nat_gateway_ip})"
-    description = "skip outbound NAT gateway IP address"
+    description = "${var.idp_name} NAT gateway skip bot protection"
     enabled     = true
     action_parameters {
       phases = [