Fix: WAF alarm tripped by BlockedIPs and BlockedUserAgents rules (#7205)

dsotirho-ucsc · dsotirho-ucsc · commit 57d916962da3 · 2025-06-17T16:43:16.000-07:00
diff --git a/terraform/cloudwatch.tf.json.template.py b/terraform/cloudwatch.tf.json.template.py
@@ -2,6 +2,7 @@
 
 from azul import (
     config,
+    iif,
 )
 from azul.deployment import (
     aws,
@@ -23,6 +24,42 @@ def dashboard_body() -> str:
     return body
 
 
+def waf_blocked_alarm_metrics() -> list[tuple[str, str]]:
+    # The blocking WAF rules to be evaluated by the 'waf_blocked' alarm, i.e.
+    # requests blocked by WAF rules omitted from this list will not trigger the
+    # alarm.
+    blocking_rules = [
+        config.waf_rate_rule_name,
+        config.waf_rate_alarm_rule_name,
+        'AWS-CommonRuleSet',
+        'AWS-AmazonIpReputationList',
+        'AWS-UnixRuleSet',
+        *iif(config.waf_file_download_limit, [
+            'FileDownloadRateLimit'
+        ]),
+        *iif(config.waf_bot_control, [
+            'AWS-AWSManagedRulesBotControlRuleSet',
+            'BlockVerifiedBotsRule'
+        ])
+    ]
+    return [
+        # Note the first metric is for the allowed requests …
+        ('AllowedRequests', 'ALL'),
+        # … followed by metrics for each included block rule.
+        *[('BlockedRequests', rule) for rule in blocking_rules]
+    ]
+
+
+def waf_blocked_alarm_expression() -> str:
+    """
+    Return an expression used by the 'waf_blocked' alarm giving the percentage
+    of blocked requests, where 'm0' is the metric for all allowed requests, and
+    'm1'… represents each evaluated blocking rule. e.g. "m1+m2/(m0+m1+m2)*100"
+    """
+    msum = '+'.join(f'm{i}' for i in range(1, len(waf_blocked_alarm_metrics())))
+    return f'{msum}/(m0+{msum})*100'
+
+
 emit_tf({
     'data': [
         {
@@ -280,7 +317,7 @@ def dashboard_body() -> str:
                                 {
                                     'id': 'waf',
                                     'label': 'Percentage of blocked requests',
-                                    'expression': 'm1/(m0+m1)*100',
+                                    'expression': waf_blocked_alarm_expression(),
                                     'return_data': 'true',
                                 },
                                 *(
@@ -294,11 +331,11 @@ def dashboard_body() -> str:
                                             'dimensions': {
                                                 'WebACL': '${aws_wafv2_web_acl.api_gateway.name}',
                                                 'Region': config.region,
-                                                'Rule': 'ALL'
+                                                'Rule': rule
                                             }
                                         }
                                     }
-                                    for i, metric in enumerate(['AllowedRequests', 'BlockedRequests'])
+                                    for i, (metric, rule) in enumerate(waf_blocked_alarm_metrics())
                                 )
                             ]
                         },
