feat: disable ngwaf somewhat; add cert, header token,

Author: JacobCoffee

infra/certs/psf.io.pem

@@ -0,0 +1 @@
+-----BEGIN CERTIFICATE----- MIIEQzCCAyugAwIBAgIUYH38nEb2KLRgscKhjcNpBLRUz+UwDQYJKoZIhvcNAQEL BQAwgbAxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIDAZPcmVnb24xEjAQBgNVBAcMCUJl YXZlcnRvbjEjMCEGA1UECgwaUHl0aG9uIFNvZnR3YXJlIEZvdW5kYXRpb24xHDAa BgNVBAsME0luZnJhc3RydWN0dXJlIFRlYW0xDzANBgNVBAMMBlBTRl9DQTEoMCYG CSqGSIb3DQEJARYZaW5mcmFzdHJ1Y3R1cmVAcHl0aG9uLm9yZzAeFw0yNDAyMTIx NzU0MDZaFw0yOTAyMTAxNzU0MDZaMIGwMQswCQYDVQQGEwJVUzEPMA0GA1UECAwG T3JlZ29uMRIwEAYDVQQHDAlCZWF2ZXJ0b24xIzAhBgNVBAoMGlB5dGhvbiBTb2Z0 d2FyZSBGb3VuZGF0aW9uMRwwGgYDVQQLDBNJbmZyYXN0cnVjdHVyZSBUZWFtMQ8w DQYDVQQDDAZQU0ZfQ0ExKDAmBgkqhkiG9w0BCQEWGWluZnJhc3RydWN0dXJlQHB5 dGhvbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCXAZagv2UK AEnnnnrK/WWcZIKo/l+HTgL01XhReu9CDNs3f3ESlRT3Y4Hbla/pYRu9VM8tMGYS xG5FGJQ2JPVnKCb3mIEC7wy9+VOaQIp3l8+o0lDQhsOZs78ZA8XQpNLD5OURsUHJ re1U6WOTryMJwxpO+DzSBU+oSwfdn2k0BAJqSeIU45hHXeHO24z7GePuk3I1wb+E vfhtdIF/tHvF1I6h7ntmHUeUWYrTKXKB9meMAFwEC1ZNoN1z05X68cSeK8dAsxYh ghmQnUZ4hHH8pLlhYW/QBTol0nutwgHPyC9FIJnZzX50xAMRx3TKP1IbIehWBwF2 CYJq6pRBZ1mfAgMBAAGjUzBRMB0GA1UdDgQWBBQrAQVRNWd6eVr6ZGn8vshzgS09 qDAfBgNVHSMEGDAWgBQrAQVRNWd6eVr6ZGn8vshzgS09qDAPBgNVHRMBAf8EBTAD AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBmtyljZ1q2manMvIMEtXtc9lq3gwxIP4Pq ic5hKuEHDSy5iN0vZRhoqfgPzXMy61zCrvLmvxv8nN2B4Us44KQRzWwDvi8SavfQ LxRZ4KLe5Bg7MNfIKM/ZqYqHIt1FtVFYR7UyEILN/yDCyQC+8n6s8RLmT5OtZHPL 0YAyHgdao4qCICkZShbCukq81ULvkq7i6QvHWZrVGAIc/1nN71QNEUMr9KtlTKO3 TeSd+l13+CDGwMXUpglDiFL329TmG5pKr/zoTCGDmRvEfRPtICwY3FgqGDpmIwhw dXq0JPGHrFODeVrchUMSGqXhAZ+k/9YdJlGLbv3WJmD1GwFTs3Wf -----END CERTIFICATE-----

infra/fastly.tf

@@ -17,13 +17,13 @@ resource "fastly_service_vcl" "test_python_org" {
 
   backend {
     name                  = "cabotage"
-    address               = "test-pythondotorg.ingress.us-east-2.psfhosted.computer"
+    address               = "pythondotorg.ingress.us-east-2.psfhosted.computer"
     port                  = 443
     shield                = "iad-va-us"
     auto_loadbalance      = false
     ssl_check_cert        = true
-    ssl_cert_hostname     = "test-pythondotorg.ingress.us-east-2.psfhosted.computer"
-    ssl_sni_hostname      = "test-pythondotorg.ingress.us-east-2.psfhosted.computer"
+    ssl_cert_hostname     = "pythondotorg.ingress.us-east-2.psfhosted.computer"
+    ssl_sni_hostname      = "pythondotorg.ingress.us-east-2.psfhosted.computer"
     weight                = 100
     max_conn              = 200
     connect_timeout       = 1000
@@ -40,7 +40,7 @@ resource "fastly_service_vcl" "test_python_org" {
     ssl_check_cert        = true
     ssl_cert_hostname     = "lb.psf.io"
     ssl_sni_hostname      = "lb.psf.io"
-    ssl_ca_cert           = "" # TODO(@ee)
+    ssl_ca_cert           = file("${path.module}/certs/psf.io.pem")
     weight                = 100
     max_conn              = 200
     connect_timeout       = 1000
@@ -169,7 +169,7 @@ resource "fastly_service_vcl" "test_python_org" {
     name              = "Is Download Director"
     priority          = 10
     request_condition = "Is Download"
-    source            = "F_lb_nyc1_psf_io"
+    source            = "loadbalancer"
     type              = "request"
   }
   header {
@@ -178,15 +178,15 @@ resource "fastly_service_vcl" "test_python_org" {
     name              = "Is Not Download Backend"
     priority          = 10
     request_condition = "Is Not Download"
-    source            = "F_cabotage"
+    source            = "cabotage"
     type              = "request"
   }
   header {
     action      = "set"
     destination = "http.Fastly-Token"
     name        = "Fastly Token"
     priority    = 10
-    source      = var.FASTLY_HEADER_TOKEN
+    source      = "\"${var.FASTLY_HEADER_TOKEN}\""
     type        = "request"
   }
   header {
@@ -267,8 +267,8 @@ resource "fastly_service_vcl" "test_python_org" {
     redundancy        = "standard"
     format_version    = 2
     message_type      = "classic"
-    s3_access_key     = var.S3_ACCESS_KEY
-    s3_secret_key     = var.S3_SECRET_KEY
+    s3_access_key     = var.AWS_ACCESS_KEY_ID
+    s3_secret_key     = var.AWS_SECRET_ACCESS_KEY
   }
 
   logging_syslog {
@@ -347,90 +347,37 @@ resource "fastly_service_vcl" "test_python_org" {
   }
 
   # NGWAF Dynamic Snippets
-  dynamicsnippet {
-    name     = "ngwaf_config_init"
-    type     = "init"
-    priority = 0
-  }
-
-  dynamicsnippet {
-    name     = "ngwaf_config_miss"
-    type     = "miss"
-    priority = 9000
-  }
-
-  dynamicsnippet {
-    name     = "ngwaf_config_pass"
-    type     = "pass"
-    priority = 9000
-  }
-
-  dynamicsnippet {
-    name     = "ngwaf_config_deliver"
-    type     = "deliver"
-    priority = 9000
-  }
+#   dynamicsnippet {
+#     name     = "ngwaf_config_init"
+#     type     = "init"
+#     priority = 0
+#   }
+#
+#   dynamicsnippet {
+#     name     = "ngwaf_config_miss"
+#     type     = "miss"
+#     priority = 9000
+#   }
+#
+#   dynamicsnippet {
+#     name     = "ngwaf_config_pass"
+#     type     = "pass"
+#     priority = 9000
+#   }
+#
+#   dynamicsnippet {
+#     name     = "ngwaf_config_deliver"
+#     type     = "deliver"
+#     priority = 9000
+#   }
 
-  dictionary {
-    name = var.Edge_Security_dictionary
-  }
+#   dictionary {
+#     name = var.Edge_Security_dictionary
+#   }
 
   lifecycle {
     ignore_changes = [product_enablement]
   }
 
   force_destroy = true
 }
-
-# Fastly Service Dictionary Items
-resource "fastly_service_dictionary_items" "edge_security_dictionary_items" {
-  for_each = {
-    for d in fastly_service_vcl.test_python_org.dictionary : d.name => d if d.name == var.Edge_Security_dictionary
-  }
-  service_id    = fastly_service_vcl.test_python_org.id
-  dictionary_id = each.value.dictionary_id
-  items = {
-    Enabled : "100"
-  }
-}
-
-# Fastly Service Dynamic Snippet Contents
-resource "fastly_service_dynamic_snippet_content" "ngwaf_config_init" {
-  for_each = {
-    for d in fastly_service_vcl.test_python_org.dynamicsnippet : d.name => d if d.name == "ngwaf_config_init"
-  }
-  service_id      = fastly_service_vcl.test_python_org.id
-  snippet_id      = each.value.snippet_id
-  content         = "### Fastly managed ngwaf_config_init"
-  manage_snippets = false
-}
-
-resource "fastly_service_dynamic_snippet_content" "ngwaf_config_miss" {
-  for_each = {
-    for d in fastly_service_vcl.test_python_org.dynamicsnippet : d.name => d if d.name == "ngwaf_config_miss"
-  }
-  service_id      = fastly_service_vcl.test_python_org.id
-  snippet_id      = each.value.snippet_id
-  content         = "### Fastly managed ngwaf_config_miss"
-  manage_snippets = false
-}
-
-resource "fastly_service_dynamic_snippet_content" "ngwaf_config_pass" {
-  for_each = {
-    for d in fastly_service_vcl.test_python_org.dynamicsnippet : d.name => d if d.name == "ngwaf_config_pass"
-  }
-  service_id      = fastly_service_vcl.test_python_org.id
-  snippet_id      = each.value.snippet_id
-  content         = "### Fastly managed ngwaf_config_pass"
-  manage_snippets = false
-}
-
-resource "fastly_service_dynamic_snippet_content" "ngwaf_config_deliver" {
-  for_each = {
-    for d in fastly_service_vcl.test_python_org.dynamicsnippet : d.name => d if d.name == "ngwaf_config_deliver"
-  }
-  service_id      = fastly_service_vcl.test_python_org.id
-  snippet_id      = each.value.snippet_id
-  content         = "### Fastly managed ngwaf_config_deliver"
-  manage_snippets = false
-}

infra/ngwaf.tf

@@ -1,29 +1,84 @@
-# NGWAF Edge Deployment
-resource "sigsci_edge_deployment" "ngwaf_edge_site_service" {
-  site_short_name = var.NGWAF_SITE
-}
-
-resource "sigsci_edge_deployment_service" "ngwaf_edge_service_link" {
-  site_short_name  = var.NGWAF_SITE
-  fastly_sid       = fastly_service_vcl.test_python_org.id
-  activate_version = true
-  percent_enabled  = 100
-  depends_on = [
-    sigsci_edge_deployment.ngwaf_edge_site_service,
-    fastly_service_vcl.test_python_org,
-    fastly_service_dictionary_items.edge_security_dictionary_items,
-    fastly_service_dynamic_snippet_content.ngwaf_config_init,
-    fastly_service_dynamic_snippet_content.ngwaf_config_miss,
-    fastly_service_dynamic_snippet_content.ngwaf_config_pass,
-    fastly_service_dynamic_snippet_content.ngwaf_config_deliver,
-  ]
-}
-
-resource "sigsci_edge_deployment_service_backend" "ngwaf_edge_service_backend_sync" {
-  site_short_name                   = var.NGWAF_SITE
-  fastly_sid                        = fastly_service_vcl.test_python_org.id
-  fastly_service_vcl_active_version = fastly_service_vcl.test_python_org.active_version
-  depends_on = [
-    sigsci_edge_deployment_service.ngwaf_edge_service_link,
-  ]
-}
+# # NGWAF Edge Deployment
+#
+# # Fastly Service Dictionary Items
+# resource "fastly_service_dictionary_items" "edge_security_dictionary_items" {
+#   for_each = {
+#     for d in fastly_service_vcl.test_python_org.dictionary : d.name => d if d.name == var.Edge_Security_dictionary
+#   }
+#   service_id    = fastly_service_vcl.test_python_org.id
+#   dictionary_id = each.value.dictionary_id
+#   items = {
+#     Enabled : "100"
+#   }
+# }
+#
+# # Fastly Service Dynamic Snippet Contents
+# resource "fastly_service_dynamic_snippet_content" "ngwaf_config_init" {
+#   for_each = {
+#     for d in fastly_service_vcl.test_python_org.dynamicsnippet : d.name => d if d.name == "ngwaf_config_init"
+#   }
+#   service_id      = fastly_service_vcl.test_python_org.id
+#   snippet_id      = each.value.snippet_id
+#   content         = "### Fastly managed ngwaf_config_init"
+#   manage_snippets = false
+# }
+#
+# resource "fastly_service_dynamic_snippet_content" "ngwaf_config_miss" {
+#   for_each = {
+#     for d in fastly_service_vcl.test_python_org.dynamicsnippet : d.name => d if d.name == "ngwaf_config_miss"
+#   }
+#   service_id      = fastly_service_vcl.test_python_org.id
+#   snippet_id      = each.value.snippet_id
+#   content         = "### Fastly managed ngwaf_config_miss"
+#   manage_snippets = false
+# }
+#
+# resource "fastly_service_dynamic_snippet_content" "ngwaf_config_pass" {
+#   for_each = {
+#     for d in fastly_service_vcl.test_python_org.dynamicsnippet : d.name => d if d.name == "ngwaf_config_pass"
+#   }
+#   service_id      = fastly_service_vcl.test_python_org.id
+#   snippet_id      = each.value.snippet_id
+#   content         = "### Fastly managed ngwaf_config_pass"
+#   manage_snippets = false
+# }
+#
+# resource "fastly_service_dynamic_snippet_content" "ngwaf_config_deliver" {
+#   for_each = {
+#     for d in fastly_service_vcl.test_python_org.dynamicsnippet : d.name => d if d.name == "ngwaf_config_deliver"
+#   }
+#   service_id      = fastly_service_vcl.test_python_org.id
+#   snippet_id      = each.value.snippet_id
+#   content         = "### Fastly managed ngwaf_config_deliver"
+#   manage_snippets = false
+# }
+#
+#
+# resource "sigsci_edge_deployment" "ngwaf_edge_site_service" {
+#   site_short_name = var.NGWAF_SITE
+# }
+#
+# resource "sigsci_edge_deployment_service" "ngwaf_edge_service_link" {
+#   site_short_name  = var.NGWAF_SITE
+#   fastly_sid       = fastly_service_vcl.test_python_org.id
+#   activate_version = true
+#   percent_enabled  = 100
+#   depends_on = [
+#     sigsci_edge_deployment.ngwaf_edge_site_service,
+#     fastly_service_vcl.test_python_org,
+#     fastly_service_dictionary_items.edge_security_dictionary_items,
+#     fastly_service_dynamic_snippet_content.ngwaf_config_init,
+#     fastly_service_dynamic_snippet_content.ngwaf_config_miss,
+#     fastly_service_dynamic_snippet_content.ngwaf_config_pass,
+#     fastly_service_dynamic_snippet_content.ngwaf_config_deliver,
+#   ]
+# }
+#
+# resource "sigsci_edge_deployment_service_backend" "ngwaf_edge_service_backend_sync" {
+#   site_short_name                   = var.NGWAF_SITE
+#   fastly_sid                        = fastly_service_vcl.test_python_org.id
+#   fastly_service_vcl_active_version = fastly_service_vcl.test_python_org.active_version
+#   depends_on = [
+#     sigsci_edge_deployment_service.ngwaf_edge_service_link,
+#   ]
+# }

infra/out.tf

@@ -1,16 +1,16 @@
-output "testing-the_ngwaf" {
-  value       = <<tfmultiline
-  #### Click the URL to go to the service ####
-  https://cfg.fastly.com/${fastly_service_vcl.test_python_org.id}
-  #### Send a test request with curl. ####
-  curl -i "https://${var.USER_VCL_SERVICE_DOMAIN_NAME}/anything/whydopirates?likeurls=theargs" -d foo=bar
-  #### Send an test as cmd exe request with curl. ####
-  curl -i "https://${var.USER_VCL_SERVICE_DOMAIN_NAME}/anything/myattackreq?i=../../../../etc/passwd'" -d foo=bar
-  #### Troubleshoot the logging configuration if necessary. ####
-  curl https://api.fastly.com/service/${fastly_service_vcl.test_python_org.id}/logging_status -H fastly-key:$FASTLY_API_KEY
-  tfmultiline
-  description = "Output hints on what to do next."
-  depends_on = [
-    sigsci_edge_deployment_service.ngwaf_edge_service_link
-  ]
-}
+# output "testing-the_ngwaf" {
+#   value       = <<tfmultiline
+#   #### Click the URL to go to the service ####
+#   https://cfg.fastly.com/${fastly_service_vcl.test_python_org.id}
+#   #### Send a test request with curl. ####
+#   curl -i "https://${var.USER_VCL_SERVICE_DOMAIN_NAME}/anything/whydopirates?likeurls=theargs" -d foo=bar
+#   #### Send an test as cmd exe request with curl. ####
+#   curl -i "https://${var.USER_VCL_SERVICE_DOMAIN_NAME}/anything/myattackreq?i=../../../../etc/passwd'" -d foo=bar
+#   #### Troubleshoot the logging configuration if necessary. ####
+#   curl https://api.fastly.com/service/${fastly_service_vcl.test_python_org.id}/logging_status -H fastly-key:$FASTLY_API_KEY
+#   tfmultiline
+#   description = "Output hints on what to do next."
+#   depends_on = [
+#     sigsci_edge_deployment_service.ngwaf_edge_service_link
+#   ]
+# }

infra/terraform.tfvars.example

@@ -1,7 +1,5 @@
 AWS_ACCESS_KEY_ID = "NotARealKey"
 AWS_SECRET_ACCESS_KEY = "NotARealKey"
-S3_ACCESS_KEY_ID = NotARealKey"
-S3_SECRET_KEY = "NotARealKey"
 
 NGWAF_TOKEN = "NotARealKey"
 FASTLY_API_KEY = "NotARealKey"

infra/variables.tf

@@ -65,17 +65,6 @@ variable "AWS_SECRET_ACCESS_KEY" {
   sensitive   = true
 }
 
-variable "S3_ACCESS_KEY" {
-  type        = string
-  description = "Access key for the S3 bucket."
-  sensitive   = true
-}
-variable "S3_SECRET_KEY" {
-  type        = string
-  description = "Secret access key for the S3 bucket."
-  sensitive   = true
-}
-
 variable "route53_zone_id" {
   type        = string
   description = "The Route 53 hosted zone ID"