Update documentation with current infrastructure state

- Update all resource IDs to match current deployment - CloudFront Distribution: EATJ1HDQU8V51 - WAF Web ACL: d61073b6-27b1-473e-aa9f-d2aa4a4c75a6 - WAF IP Set: a9e47946-c186-4b28-83a8-fe3aeb9c296b - ACM Certificate: b011e60a-1ea1-4dd3-844f-e0851ece4784 - Route53 Zone: Z01934581JQAF2GS71GG - Reflect enabled ACM certificate and Route53 DNS management - Update all AWS CLI commands with correct resource IDs 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-09-09 15:32:35 +09:00
parent 3b66e6d29f
commit d5440630f5
3 changed files with 460 additions and 340 deletions
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -2,6 +2,10 @@

 This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.

+## Project Overview
+
+AWS CloudFront CDN with CrowdSec real-time security integration via Lambda. Implements automated IP blocking through webhook notifications.
+
 ## Common Development Commands

 ### Infrastructure Management
@@ -30,10 +34,10 @@ echo "yes" | tofu init -migrate-state

 ### Validation and Formatting
 ```bash
-# Validate Terraform configuration
+# Validate configuration
 tofu validate

-# Format Terraform files
+# Format files
 tofu fmt

 # Check syntax and validate variables
@@ -42,8 +46,8 @@ tofu plan -var-file=terraform.tfvars

 ### AWS Resource Verification
 ```bash
-# Check CloudFront distribution status
-aws cloudfront get-distribution --id E1XR8P4ENGP8RU --query 'Distribution.Status' --output text
+# Check CloudFront distribution status (Current Distribution ID: EATJ1HDQU8V51)
+aws cloudfront get-distribution --id EATJ1HDQU8V51 --query 'Distribution.Status' --output text

 # List all CloudFront distributions
 aws cloudfront list-distributions --query 'DistributionList.Items[*].[Id,Status,DistributionConfig.Enabled]' --output table
@@ -64,7 +68,7 @@ This is an AWS CloudFront CDN deployment using OpenTofu (Terraform fork) with th
 - **CloudFront Distribution**: Main CDN with custom origin server
 - **WAF v2 Web ACL**: Security layer with rate limiting and AWS managed rules
 - **S3 Backend**: Remote state storage with versioning and encryption
- **Optional CloudFormation Stack**: VPC and networking resources
+- **CrowdSec Integration**: Real-time threat detection and IP blocking

 **Critical Configuration Constraints:**
 - Origin server (`origin.servidor.it.com`) only supports HTTP, not HTTPS
@@ -75,8 +79,10 @@ This is an AWS CloudFront CDN deployment using OpenTofu (Terraform fork) with th
 ### File Structure and Responsibilities

 **Core Infrastructure:**
- `main.tf` - CloudFront distribution, origin configuration, cache behaviors, and optional CloudFormation stack
+- `main.tf` - CloudFront distribution, origin configuration, cache behaviors
 - `security.tf` - WAF Web ACL with rate limiting, managed rule sets, and security groups
+- `lambda.tf` - CrowdSec Lambda integration with API Gateway
+- `lambda-crowdsec-waf.py` - Lambda function for real-time IP management
 - `variables.tf` - All configurable parameters with validation rules
 - `outputs.tf` - CloudFront URLs, distribution IDs, and resource ARNs

@@ -100,6 +106,7 @@ This is an AWS CloudFront CDN deployment using OpenTofu (Terraform fork) with th
 - WAF protection with AWS managed rules and rate limiting
 - S3 buckets with encryption, versioning, and public access blocking
 - Security groups with principle of least privilege (when VPC enabled)
+- CrowdSec real-time threat detection with Lambda integration

 **Cache Strategy:**
 - Default behavior uses CachingDisabled policy for dynamic content
@@ -115,9 +122,9 @@ This is an AWS CloudFront CDN deployment using OpenTofu (Terraform fork) with th

 ### Critical Settings in terraform.tfvars
 - `origin_protocol_policy = "http-only"` - **Do not change to HTTPS** (causes 504 errors)
- `create_acm_certificate = false` - Custom certificates fail due to CAA restrictions
+- `create_acm_certificate = true` - ACM certificate enabled for custom domain
 - `enable_waf = true` - WAF is working and provides important security
- `create_route53_records = false` - DNS management disabled due to CAA restrictions
+- `create_route53_records = true` - Route53 DNS management enabled

 ### State Management
 - Backend uses S3 without DynamoDB locking (single developer setup)
@@ -135,15 +142,148 @@ This is an AWS CloudFront CDN deployment using OpenTofu (Terraform fork) with th
 - Compression enabled for all content types
 - Custom error pages redirect 404/403 to index.html for SPA support

-### Working vs Disabled Features
+## CrowdSec Integration
+
+**🔄 Automated Workflow**: CrowdSec → API Gateway → Lambda → AWS WAF → CloudFront
+
+**📊 Current Resources (Updated 2025-09-09):**
+- **CloudFront Distribution ID**: `EATJ1HDQU8V51`
+- **CloudFront URL**: `https://d2mhxhntq3ezzr.cloudfront.net`
+- **WAF Web ACL ID**: `d61073b6-27b1-473e-aa9f-d2aa4a4c75a6`
+- **WAF IP Set ID**: `a9e47946-c186-4b28-83a8-fe3aeb9c296b`
+- **Deployment Status**: `Deployed` ✅
+
+### CrowdSec Integration Commands
+
+**⚠️ Note**: IP management is now automated via CrowdSec webhook integration. Manual commands are for monitoring and emergency use only.
+
+**View Current Blocked IPs:**
+```bash
+# View current blocked IPs (Updated IP Set ID)
+aws wafv2 get-ip-set --scope CLOUDFRONT --region us-east-1 \
+  --id a9e47946-c186-4b28-83a8-fe3aeb9c296b \
+  --name aws-cf-dev-blocked-ips \
+  --query 'IPSet.Addresses'
+```
+
+**Test CrowdSec Webhook:**
+```bash
+# Test webhook endpoint
+curl -X POST https://8zdmpjfnhh.execute-api.us-east-1.amazonaws.com/dev/webhook \
+  -H "Content-Type: application/json" \
+  -H "User-Agent: CrowdSec/1.7.0" \
+  -d '[{"uuid":"test","decisions":[{"value":"1.2.3.4","type":"ban","action":"add"}]}]'
+```
+
+**Monitor CrowdSec Container:**
+```bash
+# Check CrowdSec status
+incus exec crowdsec -- cscli metrics
+
+# View current decisions
+incus exec crowdsec -- cscli decisions list
+
+# Test notifications
+incus exec crowdsec -- cscli notifications test aws-waf
+```
+
+**Lambda Function Monitoring:**
+```bash
+# Check Lambda logs
+aws logs tail /aws/lambda/aws-cf-dev-crowdsec-waf-updater --follow
+
+# Test Lambda directly
+aws lambda invoke --function-name aws-cf-dev-crowdsec-waf-updater response.json
+```
+
+### WAF Monitoring
+
+**Check WAF Metrics:**
+```bash
+# Check blocked requests
+aws cloudwatch get-metric-statistics --namespace AWS/WAFV2 \
+  --metric-name BlockedRequests \
+  --dimensions Name=WebACL,Value=aws-cf-dev-waf Name=Rule,Value=BlockedIPsRule \
+  --start-time $(date -u -d '1 hour ago' +%Y-%m-%dT%H:%M:%S) \
+  --end-time $(date -u +%Y-%m-%dT%H:%M:%S) \
+  --period 300 --statistics Sum
+
+# Check rate limited requests
+aws cloudwatch get-metric-statistics --namespace AWS/WAFV2 \
+  --metric-name BlockedRequests \
+  --dimensions Name=WebACL,Value=aws-cf-dev-waf Name=Rule,Value=RateLimitRule \
+  --start-time $(date -u -d '1 hour ago' +%Y-%m-%dT%H:%M:%S) \
+  --end-time $(date -u +%Y-%m-%dT%H:%M:%S) \
+  --period 300 --statistics Sum
+```
+
+## Working vs Disabled Features
+
 **Currently Working:**
- CloudFront distribution with HTTP origin
- WAF v2 with managed rules
- S3 logging and state storage
- Custom cache behaviors for API paths
+- CloudFront distribution with HTTP origin ✅
+- WAF v2 with managed rules ✅
+- S3 logging and state storage ✅
+- Custom cache behaviors for API paths ✅
+- IP-based blocking through WAF IP Sets ✅
+
+**Currently Enabled:**
+- ACM custom certificates (b011e60a-1ea1-4dd3-844f-e0851ece4784) ✅
+- Route53 DNS management (Z01934581JQAF2GS71GG) ✅
+- WAF v2 with IP blocking (d61073b6-27b1-473e-aa9f-d2aa4a4c75a6) ✅
+- CrowdSec webhook integration (setup required) ⚠️

 **Currently Disabled (can be enabled with proper permissions):**
- ACM custom certificates (CAA restrictions)
- Route53 DNS management (CAA restrictions)  
 - CloudFormation VPC stack (permission constraints)
- DynamoDB state locking (permission constraints)
+- DynamoDB state locking (permission constraints)
+
+## WAF Troubleshooting History
+
+### Issue Resolution (2025-09-09)
+
+**Problem**: WAF IP blocking was not functioning despite proper configuration.
+
+**Root Cause Analysis:**
+1. **IP Set ID Mismatch**: Commands referenced old IP Set ID (`c43ff364-f3e2-43c7-8462-8fae20599d8d`) instead of actual ID
+2. **CloudFront Deployment State**: Distribution was in "InProgress" status preventing WAF changes from taking effect
+3. **Configuration Synchronization**: WAF and CloudFront association was not properly synchronized
+
+**Resolution Method:**
+- Complete infrastructure recreation using `tofu destroy` and `tofu apply`
+- All resources recreated with fresh IDs and proper associations
+- WAF rules now properly configured with correct IP Set references
+
+**Current Status:**
+- ✅ WAF properly associated with CloudFront (`EATJ1HDQU8V51`)
+- ✅ IP blocking rules functional (Priority 1: BlockedIPsRule)
+- ✅ Rate limiting active (10,000 requests/5min per IP)
+- ✅ AWS managed rule sets enabled (Common + Known Bad Inputs)
+- ✅ Test IP blocking verified: `1.2.3.4/32`, `61.77.18.91/32`
+
+**Key Commands for Manual IP Management:**
+```bash
+# Add IP to blocked list
+aws wafv2 update-ip-set --scope=CLOUDFRONT --region=us-east-1 \
+  --id a9e47946-c186-4b28-83a8-fe3aeb9c296b \
+  --name aws-cf-dev-blocked-ips \
+  --addresses "IP1/32" "IP2/32" \
+  --lock-token $(aws wafv2 get-ip-set --scope=CLOUDFRONT --region=us-east-1 \
+    --id a9e47946-c186-4b28-83a8-fe3aeb9c296b \
+    --name aws-cf-dev-blocked-ips --query 'LockToken' --output text)
+
+# Verify WAF-CloudFront association
+aws cloudfront get-distribution --id EATJ1HDQU8V51 \
+  --query 'Distribution.DistributionConfig.WebACLId' --output text
+
+# Check current blocked IPs
+aws wafv2 get-ip-set --scope=CLOUDFRONT --region=us-east-1 \
+  --id a9e47946-c186-4b28-83a8-fe3aeb9c296b \
+  --name aws-cf-dev-blocked-ips --query 'IPSet.Addresses'
+```
+
+**Note**: WAF rule changes may take up to 15 minutes to propagate across CloudFront edge locations.
+
+# important-instruction-reminders
+Do what has been asked; nothing more, nothing less.
+NEVER create files unless they're absolutely necessary for achieving your goal.
+ALWAYS prefer editing an existing file to creating a new one.
+NEVER proactively create documentation files (*.md) or README files. Only create documentation files if explicitly requested by the User.