6.0.0 (2025-01-09)
⚠ BREAKING CHANGES
- DBTP-1395 Add CloudFront and application load balancer origin verification secret for IP Filter spoofing (#273)
Features
- DBTP-1395 Add CloudFront and application load balancer origin verification secret for IP Filter spoofing (#273) (7c182e0)
Upgrade Path
To upgrade to version 6 of terraform-platform-modules you can modify the
<application>-deploy/platform-config.yml for the environments that you want to upgrade (put the versions property in an individual environment or under the * to apply to all environments)
environments:
"*":
accounts:
deploy:
name: "platform-sandbox"
id: "563763463626"
dns:
name: "dev"
id: "011755346992"
vpc: platform-sandbox-dev
dev:
versions: # add "versions" property
terraform-platform-modules: 6 # set "terraform-platform-modules" property to 6
...
Please let SRE and the Platform team know when you have upgraded to this release
Once a service team upgrades to terraform-platform-modules release version 6 and does a terraform apply, the new WAF resource for the application load balancer & the CDN origin header resources will get provisioned. This ensures all traffic for the services will have to travel through the CDN and be validated before it reaches the application load balancer.
Troubleshooting
This should enable the required traffic protection without disrupting traffic to the services through the CDN.
If there are any traffic issues to the services, the WAF can be disassociated from the ALB to allow traffic while the problem is investigated.
See Platform documentation for Troubleshooting web application firewall rule on the load balancer