Create a base module for WAF rules
Proposal
Build the base terraform module to contain WAF rules. This module will be used in the Dedicated platform and eventually the SaaS platform as well to avoid duplication of effort. This does not need to contain any custom rules that will be discovered in #25256 (closed).
Module location: https://ops.gitlab.net/gitlab-com/gl-infra/terraform-modules/cloudflare/cloudflare-waf-rules
Tasks:
-
Extract from the SaaS configuration the WAF custom rules and rate-limit rules that can be common to all platforms (US embargo geoblocking, bypasses, global rate-limits...) - https://ops.gitlab.net/gitlab-com/gl-infra/config-mgmt/-/blob/main/environments/gprd/cloudflare-custom-rules.tf
- https://ops.gitlab.net/gitlab-com/gl-infra/config-mgmt/-/blob/main/environments/gprd/cloudflare-rate-limits-waf-and-rules.tf
- https://ops.gitlab.net/gitlab-com/gl-infra/config-mgmt/-/blob/main/environments/gstg/cloudflare-custom-rules.tf
- https://ops.gitlab.net/gitlab-com/gl-infra/config-mgmt/-/blob/main/environments/gstg/cloudflare-rate-limits-waf-and-rules.tf
-
Add rulesets with those rules in the module, the module is to be used once per zone -
Make the rate limit thresholds configurable -
Add support for adding extra rules to each ruleset (because there can be only one ruleset at a time) -
Add support for an Allowlist rule to Custom rules, which pulls the allowlist for each tenant out of the tenant model
Edited by Tarun Khandelwal