feat: make ngwaf bits enabled via var

JacobCoffee · JacobCoffee · commit 33da5a2746ff · 2024-09-11T13:50:27.000-05:00
diff --git a/infra/cdn/main.tf b/infra/cdn/main.tf
@@ -342,6 +342,43 @@ resource "fastly_service_vcl" "python_org" {
     response          = "Forbidden"
     status            = 403
   }
+
+  # NGWAF Configuration
+  dictionary {
+    for_each = var.activate_ngwaf_service ? [1] : []
+    name = var.edge_security_dictionary
+  }
+
+  dynamicsnippet {
+    for_each = var.activate_ngwaf_service ? [1] : []
+    name     = "ngwaf_config_init"
+    type     = "init"
+    priority = 0
+  }
+  dynamicsnippet {
+    for_each = var.activate_ngwaf_service ? [1] : []
+    name     = "ngwaf_config_miss"
+    type     = "miss"
+    priority = 9000
+  }
+  dynamicsnippet {
+    for_each = var.activate_ngwaf_service ? [1] : []
+    name     = "ngwaf_config_pass"
+    type     = "pass"
+    priority = 9000
+  }
+  dynamicsnippet {
+    for_each = var.activate_ngwaf_service ? [1] : []
+    name     = "ngwaf_config_deliver"
+    type     = "deliver"
+    priority = 9000
+  }
+
+  lifecycle {
+    ignore_changes = [
+      product_enablement,
+    ]
+  }
 }
 
 output "service_id" {
diff --git a/infra/cdn/ngwaf.tf b/infra/cdn/ngwaf.tf
@@ -1,105 +1,19 @@
-resource "fastly_service_vcl" "ngwaf_service" {
-  count    = var.activate_ngwaf_service ? 1 : 0
-  name     = "${var.name}-ngwaf"
-  activate = var.activate_ngwaf_service
-
-  domain {
-    name    = var.domain
-    comment = "NGWAF domain"
-  }
-
-  backend {
-    address           = var.backend_address
-    name              = "ngwaf_backend"
-    port              = 443
-    use_ssl           = true
-    ssl_cert_hostname = var.backend_address
-    ssl_sni_hostname  = var.backend_address
-    override_host     = var.backend_address
-  }
-
-  # NGWAF Dynamic Snippets
-  dynamicsnippet {
-    name     = "ngwaf_config_init"
-    type     = "init"
-    priority = 0
-  }
-
-  dynamicsnippet {
-    name     = "ngwaf_config_miss"
-    type     = "miss"
-    priority = 9000
-  }
-
-  dynamicsnippet {
-    name     = "ngwaf_config_pass"
-    type     = "pass"
-    priority = 9000
-  }
-
-  dynamicsnippet {
-    name     = "ngwaf_config_deliver"
-    type     = "deliver"
-    priority = 9000
-  }
-
-  dictionary {
-    name = var.edge_security_dictionary
-  }
-
-  product_enablement {
-    bot_management = true
-  }
-
-  lifecycle {
-    ignore_changes = [product_enablement]
-  }
-}
-
-output "ngwaf_service_id" {
-  value = var.activate_ngwaf_service ? fastly_service_vcl.ngwaf_service[0].id : null
-}
-
 # Fastly Service Dictionary Items
 resource "fastly_service_dictionary_items" "edge_security_dictionary_items" {
   count         = var.activate_ngwaf_service ? 1 : 0
-  service_id    = fastly_service_vcl.ngwaf_service[0].id
-  dictionary_id = [for d in fastly_service_vcl.ngwaf_service[0].dictionary : d.dictionary_id if d.name == var.edge_security_dictionary][0]
+  service_id    = fastly_service_vcl.python_org.id
+  dictionary_id = one([for d in fastly_service_vcl.python_org.dictionary : d.dictionary_id if d.name == var.edge_security_dictionary])
   items = {
     Enabled : "100"
   }
 }
 
 # Fastly Service Dynamic Snippet Contents
-resource "fastly_service_dynamic_snippet_content" "ngwaf_config_init" {
-  count           = var.activate_ngwaf_service ? 1 : 0
-  service_id      = fastly_service_vcl.ngwaf_service[0].id
-  snippet_id      = [for d in fastly_service_vcl.ngwaf_service[0].dynamicsnippet : d.snippet_id if d.name == "ngwaf_config_init"][0]
-  content         = "### Fastly managed ngwaf_config_init"
-  manage_snippets = false
-}
-
-resource "fastly_service_dynamic_snippet_content" "ngwaf_config_miss" {
-  count           = var.activate_ngwaf_service ? 1 : 0
-  service_id      = fastly_service_vcl.ngwaf_service[0].id
-  snippet_id      = [for d in fastly_service_vcl.ngwaf_service[0].dynamicsnippet : d.snippet_id if d.name == "ngwaf_config_miss"][0]
-  content         = "### Fastly managed ngwaf_config_miss"
-  manage_snippets = false
-}
-
-resource "fastly_service_dynamic_snippet_content" "ngwaf_config_pass" {
-  count           = var.activate_ngwaf_service ? 1 : 0
-  service_id      = fastly_service_vcl.ngwaf_service[0].id
-  snippet_id      = [for d in fastly_service_vcl.ngwaf_service[0].dynamicsnippet : d.snippet_id if d.name == "ngwaf_config_pass"][0]
-  content         = "### Fastly managed ngwaf_config_pass"
-  manage_snippets = false
-}
-
-resource "fastly_service_dynamic_snippet_content" "ngwaf_config_deliver" {
-  count           = var.activate_ngwaf_service ? 1 : 0
-  service_id      = fastly_service_vcl.ngwaf_service[0].id
-  snippet_id      = [for d in fastly_service_vcl.ngwaf_service[0].dynamicsnippet : d.snippet_id if d.name == "ngwaf_config_deliver"][0]
-  content         = "### Fastly managed ngwaf_config_deliver"
+resource "fastly_service_dynamic_snippet_content" "ngwaf_config_snippets" {
+  for_each        = var.activate_ngwaf_service ? toset(["init", "miss", "pass", "deliver"]) : []
+  service_id      = fastly_service_vcl.python_org.id
+  snippet_id      = one([for d in fastly_service_vcl.python_org.dynamicsnippet : d.snippet_id if d.name == "ngwaf_config_${each.key}"])
+  content         = "### Terraform managed ngwaf_config_${each.key}"
   manage_snippets = false
 }
 
@@ -114,26 +28,23 @@ resource "sigsci_edge_deployment_service" "ngwaf_edge_service_link" {
   count            = var.activate_ngwaf_service ? 1 : 0
   provider         = sigsci.firewall
   site_short_name  = var.ngwaf_site_name
-  fastly_sid       = fastly_service_vcl.ngwaf_service[0].id
-  activate_version = var.activate_ngwaf_service
+  fastly_sid       = fastly_service_vcl.python_org.id
+  activate_version = true
   percent_enabled  = 100
   depends_on = [
     sigsci_edge_deployment.ngwaf_edge_site_service,
-    fastly_service_vcl.ngwaf_service,
+    fastly_service_vcl.python_org,
     fastly_service_dictionary_items.edge_security_dictionary_items,
-    fastly_service_dynamic_snippet_content.ngwaf_config_init,
-    fastly_service_dynamic_snippet_content.ngwaf_config_miss,
-    fastly_service_dynamic_snippet_content.ngwaf_config_pass,
-    fastly_service_dynamic_snippet_content.ngwaf_config_deliver,
+    fastly_service_dynamic_snippet_content.ngwaf_config_snippets,
   ]
 }
 
 resource "sigsci_edge_deployment_service_backend" "ngwaf_edge_service_backend_sync" {
   count                             = var.activate_ngwaf_service ? 1 : 0
   provider                          = sigsci.firewall
   site_short_name                   = var.ngwaf_site_name
-  fastly_sid                        = fastly_service_vcl.ngwaf_service[0].id
-  fastly_service_vcl_active_version = fastly_service_vcl.ngwaf_service[0].active_version
+  fastly_sid                        = fastly_service_vcl.python_org.id
+  fastly_service_vcl_active_version = fastly_service_vcl.python_org.active_version
   depends_on = [
     sigsci_edge_deployment_service.ngwaf_edge_service_link,
   ]
