WAF observability (DETECTION mode)¶

Policy¶

One oci_waf_web_app_firewall_policy per frontend via deploy/terraform/modules/waf/. Rules:

OWASP Core Rule Set (managed) → LOG in DETECTION.
Admin-path CIDR guard (/api/admin/*) → LOG when request originates outside admin_allow_cidrs.
Login burst (/login, /api/auth/login) → LOG after 10 req/min.

Flip var.waf_mode = "BLOCK" once the saved searches show zero false positives for a week. The Coordinator waf-tighten-suggest playbook surfaces a Terraform diff proposal before any apply.

Log routing¶

WAF policy ─► OCI Logging group (var.waf_log_group_id)
                   │
                   └─► Service Connector ─► Log Analytics
                                             parser: octo-waf

Configured via deploy/terraform/modules/log_pipeline/ and root variables waf_log_id_{shop,crm,ops,coordinator}.

Correlation¶

X-Request-Id is generated by server/security/request_id.py and echoed back on every response. The WAF parser extracts the same header, so dashboards can join WAF events to app logs by that id alone (no trace-context propagation required at the WAF layer).