Merge pull request #70 from alphagov/sengi/missing-denylist

Fix missing denylist in datagovuk vcl_recv.

datagovuk.tf

@@ -12,6 +12,8 @@ module "datagovuk-integration" {
   }
 
   secrets = yamldecode(var.datagovuk_integration)
+
+  dictionaries = local.dictionaries
 }
 
 variable "datagovuk_staging" {
@@ -44,4 +46,4 @@ module "datagovuk-production" {
   }
 
   secrets = yamldecode(var.datagovuk_production)
-}
+}

modules/datagovuk/datagovuk.vcl.tftpl

@@ -39,6 +39,11 @@ backend F_cname_find_eks_${environment}_govuk_digital {
 sub vcl_recv {
   ${indent(2, file("${module_path}/../shared/_boundary_headers.vcl.tftpl"))}
 
+  # Serve 404 if source IP/netblock is denylisted.
+  if (table.lookup(ip_address_denylist, client.ip)) {
+    error 404 "Not Found";
+  }
+
   # Require authentication for PURGE requests
   set req.http.Fastly-Purge-Requires-Auth = "1";
 
@@ -204,4 +209,4 @@ sub vcl_error {
 
 sub vcl_pass {
 #FASTLY pass
-}
+}

modules/datagovuk/service.tf

@@ -58,6 +58,11 @@ resource "fastly_service_vcl" "service" {
     content = templatefile("${path.module}/${var.vcl_template_file}", local.template_values)
   }
 
+  dynamic "dictionary" {
+    for_each = var.dictionaries
+    content { name = dictionary.key }
+  }
+
   dynamic "condition" {
     for_each = {
       for c in lookup(local.template_values, "conditions", []) : c.name => c
@@ -161,3 +166,13 @@ resource "fastly_service_vcl" "service" {
     }
   }
 }
+
+resource "fastly_service_dictionary_items" "items" {
+  for_each = {
+    for d in fastly_service_vcl.service.dictionary : d.name => d
+  }
+  service_id    = fastly_service_vcl.service.id
+  dictionary_id = each.value.dictionary_id
+  items         = var.dictionaries[each.key]
+  manage_items  = true
+}

modules/datagovuk/variables.tf

@@ -6,6 +6,10 @@ variable "configuration" {
   default = {}
 }
 
+variable "dictionaries" {
+  default = {}
+}
+
 variable "vcl_template_file" {
   default = "datagovuk.vcl.tftpl"
 }