diff --git a/aws/eks/waf.tf b/aws/eks/waf.tf index 1f1e51f36..cc7dbd109 100644 --- a/aws/eks/waf.tf +++ b/aws/eks/waf.tf @@ -536,23 +536,46 @@ resource "aws_wafv2_web_acl" "notification-canada-ca" { limit = var.non_api_waf_rate_limit aggregate_key_type = "IP" scope_down_statement { - not_statement { + and_statement { statement { - byte_match_statement { - positional_constraint = "STARTS_WITH" - field_to_match { - single_header { - name = "host" + not_statement { + statement { + byte_match_statement { + positional_constraint = "EXACTLY" + search_string = var.waf_secret + field_to_match { + single_header { + name = "waf-secret" + } + } + text_transformation { + priority = 1 + type = "NONE" + } } } - search_string = "api" - text_transformation { - priority = 1 - type = "COMPRESS_WHITE_SPACE" - } - text_transformation { - priority = 2 - type = "LOWERCASE" + } + } + statement { + not_statement { + statement { + byte_match_statement { + positional_constraint = "STARTS_WITH" + field_to_match { + single_header { + name = "host" + } + } + search_string = "api" + text_transformation { + priority = 1 + type = "COMPRESS_WHITE_SPACE" + } + text_transformation { + priority = 2 + type = "LOWERCASE" + } + } } } } @@ -561,7 +584,6 @@ resource "aws_wafv2_web_acl" "notification-canada-ca" { } } } - rule { name = "ApiRateLimit" priority = 210