Skip to content

feat(waf): fastly slack alerting #443

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
sseehra wants to merge 6 commits into
base: main
Choose a base branch
from
+25 −0
Open

feat(waf): fastly slack alerting #443

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
8fb3ea4
feat(fastly_waf): add Slack alerting integration for WAF events
sseehra Mar 2, 2026
cc6491b
fix(google_fastly_waf): remove sensitive flag from Slack webhook URL …
sseehra Mar 2, 2026
614bda0
fix(google_fastly_waf): mark Slack logging webhook URL as sensitive
sseehra Mar 2, 2026
635661e
fix(google_fastly_waf): mark Slack logging webhook URL as sensitive a…
sseehra Mar 2, 2026
2731264
feat(google_fastly_waf): add enable_slack_logging_mode_alerts variabl…
sseehra Mar 3, 2026
413ff23
feat(google_fastly_waf): update slack_logging_integration_id output t…
sseehra Mar 3, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions google_fastly_waf/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -323,3 +323,12 @@ resource "sigsci_edge_deployment_service_backend" "ngwaf_edge_service_backend_sy
sigsci_edge_deployment_service.ngwaf_edge_service_link,
]
}

### Slack Alerting Integration for WAF Events
resource "sigsci_site_integration" "slack_logging_mode_alerts" {
count = var.enable_slack_logging_mode_alerts ? 1 : 0
site_short_name = sigsci_site.ngwaf_edge_site.short_name
type = "slack"
url = var.slack_logging_webhook_url
events = ["loggingModeChanged"]
}
4 changes: 4 additions & 0 deletions google_fastly_waf/outputs.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,3 +5,7 @@ output "ngwaf_edgesite_short_name" {
output "certificate_verification_information" {
value = fastly_tls_subscription.fastly.*.managed_dns_challenges
}

output "slack_logging_integration_id" {
value = var.enable_slack_logging_mode_alerts ? sigsci_site_integration.slack_logging_mode_alerts[0].id : null
}
12 changes: 12 additions & 0 deletions google_fastly_waf/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -133,3 +133,15 @@ variable "ngwaf_percent_enabled" {
type = number
default = 100
}

variable "slack_logging_webhook_url" {
type = string
sensitive = true
default = "TBD"
Copy link
Contributor

@Tibap Tibap Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bkochendorfer Would it make more sense to:

  • Have main.tf read the secret from a specific GCP project. Example:
data "google_secret_manager_secret_version" "slack_waf_webhook" {
  count   = var.enable_slack_alerting ? 1 : 0
  project = var.slack_webhook_secret_project
  secret  = "slack-waf-webhook-url"
}
  • and create that secret in webservices?

What do you think?

Copy link
Member

@bkochendorfer bkochendorfer Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is a good way to retrieve the data. The url will still be written to terraform state in plain text in sigsci_site_integration so I'm not sure I would consider this entire approach optimal

Copy link
Contributor

@Tibap Tibap Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correct. I think the impact is not too high though: someone retrieving the URL will be able to post messages to that channel.

  • If not doing it this way: what approach would you recommend?
  • If doing it this way, we still need to figure out where in webservices do we store this secret 🤔

Copy link
Member

@bkochendorfer bkochendorfer Mar 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Terraform does have a method for dealing with secrets like this https://www.hashicorp.com/en/blog/ephemeral-values-in-terraform, but it would require the sigsci provider to modify that slack url to be "write only" as well. If they did you could do something like the following. You could also create the secret object here in this module and have the secret persisted outside of Terraform.

We might need to think of a more centralized approach here as these URLs are likely the same per channel and you might have multiple notifications bound to one channel?

ephemeral "google_secret_manager_secret_version" "slack_waf_webhook" {
  count   = var.enable_slack_alerting ? 1 : 0
  project = var.slack_webhook_secret_project
  secret  = "slack-waf-webhook-url"
}

resource "sigsci_site_integration" "slack_logging_mode_alerts" {
  count           = var.enable_slack_logging_mode_alerts ? 1 : 0
  site_short_name = sigsci_site.ngwaf_edge_site.short_name
  type            = "slack"
  url             =  ephemeral.google_secret_manager_secret_version..slack_logging_webhook_url
  events          = ["loggingModeChanged"]
}

Copy link
Contributor

@Tibap Tibap Mar 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We might need to think of a more centralized approach here as these URLs are likely the same per channel

+1 on that. I was suggesting above to host this in webservices, but... i don't have any strong feelings on that, so can be in our security-infra as well for example.

Copy link
Contributor

@Tibap Tibap Mar 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sseehra After talking with @bkochendorfer on this, we think we should change our approach. I'll post more details in the Jira ticket.

}

variable "enable_slack_logging_mode_alerts" {
description = "Enable or disable the Slack integration for logging mode change alerts"
type = bool
default = true
}