Allow limiting contents of WAF audit logs

Problem to solve

As discussed during the WAF logging technical discovery issue we currently use the recommended default that includes exposing the full request contents in our request audit logs, via SecAuditLogParts. These are currently limited to being only viewable by maintainers, however we may still wish to limit the contents more strictly and/or make this setting configurable.

Intended users

• Delaney (Development Team Lead)
• Sidney (Systems Administrator)
• Sam (Security Analyst)

Further details

Proposal

Expose SecAuditLogParts as user-overrideable WAF setting; i.e. AUTO_DEVOPS_MODSECURITY_SEC_AUDIT_LOG_PARTS (example name, could be different)

• If not specified, all information should be recorded.

Permissions and Security

Variable should be configurable at CI settings level or any modification of CI configuration. No change to existing permissions.

Documentation

Add new variable to ADO Build and Deployment variables

Testing

Ensure reduction of logged data reduces amount of data returned in pod logs; i.e. removal of CI prevents request body from being logged.

What does success look like, and how can we measure that?

What is the type of buyer?

This is available to users with Core.

Links / references

Technical Discovery

Customizations on a ingress base will require new fields to be added into auto-deploy-app chart and their respective values will be set from an environmental variable through auto-deploy-image. Similar work to what has been done for #8558 (closed) and more recently #8556 (closed) .