Skip to content

Commit

Permalink
Different rate limits depending on HTTP method (#5555)
Browse files Browse the repository at this point in the history
  • Loading branch information
@dsotirho-ucsc
dsotirho-ucsc committed Jan 19, 2024
1 parent 08eff88 commit 34336cf
Show file tree
Hide file tree
Showing 3 changed files with 78 additions and 5 deletions.
2 changes: 2 additions & 0 deletions src/azul/__init__.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1503,6 +1503,8 @@ def docker_images(self) -> dict[str, str]:

waf_rate_rule_name = 'RateRule'

waf_expensive_rate_rule_name = 'ExpensiveRateRule'


config: Config = Config() # yes, the type hint does help PyCharm

Expand Down
62 changes: 57 additions & 5 deletions terraform/api_gateway.tf.json.template.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -204,6 +204,34 @@ def for_domain(cls, domain):
'rule': [
{
'priority': 0,
'name': 'LabelPostRequests',
'action': {
'count': {}
},
'rule_label': {
'name': 'azul:expensive'
},
'statement': {
'byte_match_statement': {
'field_to_match': {
'method': {}
},
'positional_constraint': 'EXACTLY',
'search_string': 'POST',
'text_transformation': {
'priority': 0,
'type': 'NONE'
}
}
},
'visibility_config': {
'metric_name': 'LabelPostRequests',
'sampled_requests_enabled': True,
'cloudwatch_metrics_enabled': True
}
},
{
'priority': 1,
'name': 'BlockedIPs',
'action': {
'block': {}
Expand All @@ -220,15 +248,39 @@ def for_domain(cls, domain):
}
},
{
'priority': 1,
'priority': 2,
'name': config.waf_expensive_rate_rule_name,
'action': {
'block': {}
},
'statement': {
'rate_based_statement': {
'limit': 100, # limit must be between 100 and 20,000,000
'aggregate_key_type': 'IP',
'scope_down_statement': {
'label_match_statement': {
'scope': 'LABEL',
'key': 'azul:expensive'
}
}
}
},
'visibility_config': {
'metric_name': config.waf_expensive_rate_rule_name,
'sampled_requests_enabled': True,
'cloudwatch_metrics_enabled': True
}
},
{
'priority': 3,
'name': config.waf_rate_rule_name,
'action': {
'block': {}
},
'statement': {
'rate_based_statement': {
'limit': 1000, # limit must be between 100 and 20,000,000
'aggregate_key_type': 'IP'
'aggregate_key_type': 'IP',
}
},
'visibility_config': {
Expand All @@ -238,7 +290,7 @@ def for_domain(cls, domain):
}
},
{
'priority': 2,
'priority': 4,
'name': 'AWS-CommonRuleSet',
'override_action': {
'none': {}
Expand Down Expand Up @@ -274,7 +326,7 @@ def for_domain(cls, domain):
}
},
{
'priority': 3,
'priority': 5,
'name': 'AWS-AmazonIpReputationList',
'override_action': {
'none': {}
Expand All @@ -292,7 +344,7 @@ def for_domain(cls, domain):
}
},
{
'priority': 4,
'priority': 6,
'name': 'AWS-UnixRuleSet',
'override_action': {
'none': {}
Expand Down
19 changes: 19 additions & 0 deletions terraform/cloudwatch.tf.json.template.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -367,6 +367,25 @@ def prod_qualified_resource_name(name: str) -> str:
},
'alarm_actions': ['${data.aws_sns_topic.monitoring.arn}'],
'ok_actions': ['${data.aws_sns_topic.monitoring.arn}'],
},
'waf_expensive_rate_blocked': {
'alarm_name': config.qualified_resource_name('waf_expensive_rate_blocked'),
'comparison_operator': 'GreaterThanThreshold',
'threshold': 0,
'datapoints_to_alarm': 1,
'evaluation_periods': 1,
'period': 5 * 60,
'metric_name': 'BlockedExpensiveRequests',
'namespace': 'AWS/WAFV2',
'statistic': 'Sum',
'treat_missing_data': 'notBreaching',
'dimensions': {
'WebACL': '${aws_wafv2_web_acl.api_gateway.name}',
'Region': config.region,
'Rule': config.waf_expensive_rate_rule_name
},
'alarm_actions': ['${data.aws_sns_topic.monitoring.arn}'],
'ok_actions': ['${data.aws_sns_topic.monitoring.arn}'],
}
}
}
Expand Down

0 comments on commit 34336cf

Please sign in to comment.