Merge pull request #9477 from ministryofjustice/feature/9037-switch-r…

…53-dns-firewall-module-to-block

Switch `r53-dns-firewall` module to `BLOCK`

.github/workflows/core-vpc-development-deployment.yml

@@ -19,6 +19,7 @@ on:
       - 'terraform/modules/vpc-nacls/**'
       - 'terraform/modules/ram-resource-share/**'
       - 'terraform/modules/core-vpc-tgw-routes/**'
+      - 'terraform/modules/r53-dns-firewall/**'
       - '.github/workflows/reusable-member-account-ram-association.yml'
       - '.github/workflows/reusable_terraform_plan_apply.yml'
       - '!**.md'

.github/workflows/core-vpc-preproduction-deployment.yml

@@ -40,6 +40,7 @@ on:
       - 'terraform/modules/vpc-nacls/**'
       - 'terraform/modules/ram-resource-share/**'
       - 'terraform/modules/core-vpc-tgw-routes/**'
+      - 'terraform/modules/r53-dns-firewall/**'
       - '.github/workflows/reusable-member-account-ram-association.yml'
       - '.github/workflows/reusable_terraform_plan_apply.yml'
       - '!**.md'

.github/workflows/core-vpc-production-deployment.yml

@@ -40,6 +40,7 @@ on:
       - 'terraform/modules/vpc-nacls/**'
       - 'terraform/modules/ram-resource-share/**'
       - 'terraform/modules/core-vpc-tgw-routes/**'
+      - 'terraform/modules/r53-dns-firewall/**'
       - '.github/workflows/reusable-member-account-ram-association.yml'
       - '.github/workflows/reusable_terraform_plan_apply.yml'
       - '!**.md'

.github/workflows/core-vpc-test-deployment.yml

@@ -40,6 +40,7 @@ on:
       - 'terraform/modules/vpc-nacls/**'
       - 'terraform/modules/ram-resource-share/**'
       - 'terraform/modules/core-vpc-tgw-routes/**'
+      - 'terraform/modules/r53-dns-firewall/**'
       - '.github/workflows/reusable-member-account-ram-association.yml'
       - '.github/workflows/reusable_terraform_plan_apply.yml'
       - '!**.md'

terraform/modules/r53-dns-firewall/README.md

@@ -8,7 +8,7 @@ This module creates the following resources per VPC:
 - a custom list of allowed and blocked domains which can be defined via the `allowed_domains` and `blocked_domains` inputs
 - R53 Resolver Firewall Rules in the following priority:
   **1** - An allow rule for the `allowed_domains` list
-  **2-5** - a set of rules that ALERT on any domains that match the [AWS-managed threat lists](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-dns-firewall-managed-domain-lists.html)
+  **2-5** - a set of rules that BLOCK any domains that match the [AWS-managed threat lists](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-dns-firewall-managed-domain-lists.html)
   **6** - A Block rule for the `blocked_domains` list
 
 # Example usage

terraform/modules/r53-dns-firewall/main.tf

@@ -17,14 +17,14 @@ resource "aws_route53_resolver_firewall_domain_list" "block" {
   tags    = var.tags_common
 }
 
-# Default rule to ALERT on AWS-managed bad domain lists - see https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-dns-firewall-managed-domain-lists.html
-# These rules will be set to ALERT initially and enabled in production - after a period of monitoring we will switch to BLOCK
+# Default rule to BLOCK based on AWS-managed bad domain lists - see https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-dns-firewall-managed-domain-lists.html
 data "external" "aws_managed_domain_lists" {
   program = ["bash", "${path.module}/fetch-aws-managed-domain-lists.sh"]
 }
 resource "aws_route53_resolver_firewall_rule" "default_alert" {
   for_each                = data.external.aws_managed_domain_lists.result
-  action                  = "ALERT"
+  action                  = "BLOCK"
+  block_response          = var.block_response
   firewall_domain_list_id = each.value
   priority                = each.key == "AWSManagedDomainsAggregateThreatList" ? 2 : each.key == "AWSManagedDomainsMalwareDomainList" ? 3 : each.key == "AWSManagedDomainsBotnetCommandandControl" ? 4 : 5
   firewall_rule_group_id  = aws_route53_resolver_firewall_rule_group.this.id