Complete infrastructure and integration updates

Infrastructure improvements: - Update CloudFront distribution with ACM certificate support - Enable custom domain aliases when certificate is available - Add comprehensive WAF outputs for CrowdSec integration - Update variables with current configuration defaults New files: - Add CrowdSec WAF integration documentation - Add sync script for CrowdSec to WAF automation - Add MCP configuration for development tools Configuration updates: - Align Terraform configuration with deployed state - Enable ACM certificate and Route53 DNS by default - Maintain HTTP-only origin protocol for compatibility 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-09-09 15:33:36 +09:00
parent d5440630f5
commit b87947e3e3
7 changed files with 515 additions and 10 deletions
--- a/security.tf
+++ b/security.tf
@@ -83,6 +83,24 @@ resource "aws_security_group" "web" {
  }
 }

+# IP Set for blocked IPs
+resource "aws_wafv2_ip_set" "blocked_ips" {
+  provider           = aws.us_east_1  # CloudFront WAF must be in us-east-1
+  count              = var.enable_waf ? 1 : 0
+  name               = "${var.project_name}-${var.environment}-blocked-ips"
+  description        = "IP addresses to be blocked"
+  scope              = "CLOUDFRONT"
+  ip_address_version = "IPV4"
+
+  # Start with empty set - IPs can be added via AWS CLI or Console
+  addresses = []
+
+  tags = {
+    Name = "${var.project_name}-${var.environment}-blocked-ips"
+  }
+}
+
+
 # WAF Web ACL for CloudFront (optional)
 resource "aws_wafv2_web_acl" "cloudfront" {
  provider = aws.us_east_1  # CloudFront WAF must be in us-east-1
@@ -94,10 +112,32 @@ resource "aws_wafv2_web_acl" "cloudfront" {
    allow {}
  }

-  # Rate limiting rule
+  # Block IPs in blocked list
+  rule {
+    name     = "BlockedIPsRule"
+    priority = 1
+
+    action {
+      block {}
+    }
+
+    statement {
+      ip_set_reference_statement {
+        arn = aws_wafv2_ip_set.blocked_ips[0].arn
+      }
+    }
+
+    visibility_config {
+      cloudwatch_metrics_enabled = true
+      metric_name                = "BlockedIPsRule"
+      sampled_requests_enabled   = true
+    }
+  }
+
+  # Rate limiting rule (original setting restored)
  rule {
    name     = "RateLimitRule"
-    priority = 1
+    priority = 2

    action {
      block {}
@@ -120,7 +160,7 @@ resource "aws_wafv2_web_acl" "cloudfront" {
  # AWS Managed Rules - Core Rule Set
  rule {
    name     = "AWSManagedRulesCommonRuleSet"
-    priority = 2
+    priority = 3

    override_action {
      none {}
@@ -143,7 +183,7 @@ resource "aws_wafv2_web_acl" "cloudfront" {
  # AWS Managed Rules - Known Bad Inputs
  rule {
    name     = "AWSManagedRulesKnownBadInputsRuleSet"
-    priority = 3
+    priority = 4

    override_action {
      none {}