From 153e0c4378b618d1fcf13ae930b6d66749fbc1d4 Mon Sep 17 00:00:00 2001
From: Sean Rankine <sean.rankine@me.com>
Date: Thu, 11 Jul 2024 13:26:43 +0100
Subject: [PATCH] Enable edge rate limiting

The allows us to rate limit requests at edge.
---
 modules/assets/main.tf    | 18 ++++++++++++++++++
 modules/bouncer/main.tf   | 18 ++++++++++++++++++
 modules/datagovuk/main.tf | 18 ++++++++++++++++++
 modules/www/main.tf       | 18 ++++++++++++++++++
 4 files changed, 72 insertions(+)

diff --git a/modules/assets/main.tf b/modules/assets/main.tf
index 37fad43..1643ac5 100644
--- a/modules/assets/main.tf
+++ b/modules/assets/main.tf
@@ -94,6 +94,24 @@ resource "fastly_service_vcl" "service" {
     }
   }
 
+  rate_limiter {
+    name = "rate_limiter"
+
+    rps_limit            = 500
+    window_size          = 10
+    penalty_box_duration = 5
+
+    client_key   = "req.http.Fastly-Client-IP"
+    http_methods = "GET,PUT,TRACE,POST,HEAD,DELETE,PATCH,OPTIONS"
+
+    action = "response"
+    response {
+      content      = "Too many requests"
+      content_type = "plain/text"
+      status       = 429
+    }
+  }
+
   dynamic "logging_splunk" {
     for_each = {
       for splunk in lookup(var.secrets, "splunk", []) : splunk.name => splunk
diff --git a/modules/bouncer/main.tf b/modules/bouncer/main.tf
index 189310c..0c3a3d9 100644
--- a/modules/bouncer/main.tf
+++ b/modules/bouncer/main.tf
@@ -32,6 +32,24 @@ resource "fastly_service_vcl" "service" {
     })
   }
 
+  rate_limiter {
+    name = "rate_limiter"
+
+    rps_limit            = 500
+    window_size          = 10
+    penalty_box_duration = 5
+
+    client_key   = "req.http.Fastly-Client-IP"
+    http_methods = "GET,PUT,TRACE,POST,HEAD,DELETE,PATCH,OPTIONS"
+
+    action = "response"
+    response {
+      content      = "Too many requests"
+      content_type = "plain/text"
+      status       = 429
+    }
+  }
+
   dynamic "logging_s3" {
     for_each = {
       for s3 in lookup(var.secrets, "s3", []) : s3.name => s3
diff --git a/modules/datagovuk/main.tf b/modules/datagovuk/main.tf
index 52e80a5..9d8d21e 100644
--- a/modules/datagovuk/main.tf
+++ b/modules/datagovuk/main.tf
@@ -111,6 +111,24 @@ resource "fastly_service_vcl" "service" {
     force_ssl = true
   }
 
+  rate_limiter {
+    name = "rate_limiter"
+
+    rps_limit            = 500
+    window_size          = 10
+    penalty_box_duration = 5
+
+    client_key   = "req.http.Fastly-Client-IP"
+    http_methods = "GET,PUT,TRACE,POST,HEAD,DELETE,PATCH,OPTIONS"
+
+    action = "response"
+    response {
+      content      = "Too many requests"
+      content_type = "plain/text"
+      status       = 429
+    }
+  }
+
   dynamic "logging_splunk" {
     for_each = {
       for splunk in lookup(var.secrets, "splunk", []) : splunk.name => splunk
diff --git a/modules/www/main.tf b/modules/www/main.tf
index 83a2768..04e1b96 100644
--- a/modules/www/main.tf
+++ b/modules/www/main.tf
@@ -109,6 +109,24 @@ resource "fastly_service_vcl" "service" {
     }
   }
 
+  rate_limiter {
+    name = "rate_limiter"
+
+    rps_limit            = 500
+    window_size          = 10
+    penalty_box_duration = 5
+
+    client_key   = "req.http.Fastly-Client-IP"
+    http_methods = "GET,PUT,TRACE,POST,HEAD,DELETE,PATCH,OPTIONS"
+
+    action = "response"
+    response {
+      content      = "Too many requests"
+      content_type = "plain/text"
+      status       = 429
+    }
+  }
+
   dynamic "logging_splunk" {
     for_each = {
       for splunk in try(var.secrets["splunk"], []) : splunk.name => splunk