Allow internal traffic through WAF

heerener · heerener · commit f8c7052269d6 · 2025-04-09T15:24:19.000+02:00
diff --git a/obp_private_alb_config/private-alb-waf.tf b/obp_private_alb_config/private-alb-waf.tf
@@ -1,3 +1,9 @@
+resource "aws_wafv2_ip_set" "internal_ips" {
+  name               = "internal IPs"
+  scope              = "REGIONAL"
+  ip_address_version = "IPV4"
+  addresses          = ["10.0.0.0/16"]
+}
 resource "aws_wafv2_web_acl" "basic_protection" {
   name  = "private-alb-waf"
   scope = "REGIONAL"
@@ -38,6 +44,27 @@ resource "aws_wafv2_web_acl" "basic_protection" {
     }
   }
 
+  rule {
+    name     = "obi-allow-internal-traffic"
+    priority = 5
+
+    action {
+      allow {}
+    }
+
+    statement {
+      ip_set_reference_statement {
+        arn = aws_wafv2_ip_set.internal_ips.arn
+      }
+    }
+
+    visibility_config {
+      cloudwatch_metrics_enabled = false
+      metric_name                = "obi_allow-internal-traffic"
+      sampled_requests_enabled   = false
+    }
+  }
+
   rule {
     name     = "aws-common-ruleset"
     priority = 10
