fixup! Fix: WAF alarm tripped by BlockedIPs and BlockedUserAgents rules (#7205)

dsotirho-ucsc · dsotirho-ucsc · commit 06b1361904e4 · 2025-06-24T16:45:17.000-07:00
diff --git a/src/azul/__init__.py b/src/azul/__init__.py
@@ -1772,7 +1772,10 @@ def docker_image_gists_path(self) -> Path:
 
     blocked_user_agents_custom_regex_term = 'blocked_user_agents_custom'
 
-    waf_block_rules_not_logged = [
+    #: The names of WAF rules whose matching requests will not be logged in the
+    #: WAF log group, nor trip the `waf_blocked` Cloudwatch alarm.
+    #:
+    waf_rules_not_logged = [
         blocked_v4_ips_term,
         blocked_user_agents_regex_term
     ]
diff --git a/terraform/api_gateway.tf.json.template.py b/terraform/api_gateway.tf.json.template.py
@@ -158,7 +158,7 @@ def add_waf_blocked_alarm(resources: JSON) -> JSON:
             for rule in resources['aws_wafv2_web_acl']['api_gateway']['rule']
             if (
                 ('block' in rule.get('action', {}) or 'none' in rule.get('override_action', {}))
-                and rule['name'] not in config.waf_block_rules_not_logged
+                and rule['name'] not in config.waf_rules_not_logged
             )
         ]
         metrics = [
@@ -350,9 +350,10 @@ def add_waf_blocked_alarm(resources: JSON) -> JSON:
                                     'action': {
                                         action: {}
                                     },
-                                    # We add a label to requests blocked by IP
-                                    # to prevent these requests from being
-                                    # logged or tripping WAF alarms.
+                                    # We add a label to these requests to give
+                                    # us the option to exclude them from being
+                                    # logged in the WAF log group. See
+                                    # aws_wafv2_web_acl_logging_configuration
                                     'rule_label': {
                                         'name': name
                                     },
@@ -396,9 +397,10 @@ def add_waf_blocked_alarm(resources: JSON) -> JSON:
                                 'action': {
                                     'block': {}
                                 },
-                                # We add a label to requests blocked by user
-                                # agent to prevent these requests from being
-                                # logged or tripping WAF alarms.
+                                # We add a label to these requests to give us
+                                # the option to exclude them from being logged
+                                # in the WAF log group. See
+                                # aws_wafv2_web_acl_logging_configuration
                                 'rule_label': {
                                     'name': config.blocked_user_agents_regex_term
                                 },
@@ -666,7 +668,7 @@ def add_waf_blocked_alarm(resources: JSON) -> JSON:
                                                               term
                                                           )
                                         }
-                                    } for term in config.waf_block_rules_not_logged
+                                    } for term in config.waf_rules_not_logged
                                 ]
                             ]
                         ]
