From 645d0412c360d33e40dc5ddc1b30032c7b98648d Mon Sep 17 00:00:00 2001
From: Chris Banks <chris.banks@digital.cabinet-office.gov.uk>
Date: Thu, 14 Dec 2023 14:33:44 +0000
Subject: [PATCH] Rationalise ratelimit exemption rules.

Make it clearer as to what the rule does.
---
 terraform/projects/infra-public-wafs/cache_public_rule.tf | 8 ++++----
 terraform/projects/infra-public-wafs/variables.tf         | 4 ++--
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/terraform/projects/infra-public-wafs/cache_public_rule.tf b/terraform/projects/infra-public-wafs/cache_public_rule.tf
index e44ac78a1..546e0ee2d 100644
--- a/terraform/projects/infra-public-wafs/cache_public_rule.tf
+++ b/terraform/projects/infra-public-wafs/cache_public_rule.tf
@@ -31,12 +31,12 @@ resource "aws_wafv2_ip_set" "govuk_requesting_ips" {
   addresses          = concat(var.traffic_replay_ips, local.nat_gateway_ips, var.eks_egress_ips)
 }
 
-resource "aws_wafv2_ip_set" "external_partner_ips" {
-  name               = "external_partner_ips"
-  description        = "The IP addresses are used by our partners."
+resource "aws_wafv2_ip_set" "high_request_rate" {
+  name               = "high_request_rate"
+  description        = "Source addresses from which we allow a higher ratelimit."
   scope              = "REGIONAL"
   ip_address_version = "IPV4"
-  addresses          = var.allow_external_ips
+  addresses          = var.allow_high_request_rate_from_cidrs
 }
 
 resource "aws_cloudwatch_log_group" "public_cache_waf" {
diff --git a/terraform/projects/infra-public-wafs/variables.tf b/terraform/projects/infra-public-wafs/variables.tf
index 5a2211596..7cfb238f6 100644
--- a/terraform/projects/infra-public-wafs/variables.tf
+++ b/terraform/projects/infra-public-wafs/variables.tf
@@ -105,9 +105,9 @@ variable "eks_egress_ips" {
   description = "An array of CIDR blocks for the corresponding EKS environment's NAT gateway IPs"
 }
 
-variable "allow_external_ips" {
+variable "allow_high_request_rate_from_cidrs" {
   type        = list(string)
-  description = "An array of CIDR blocks that are our partners using to send traffic to us"
+  description = "Source IP netblocks from which we allow a higher rate of requests."
 }
 
 variable "waf_log_retention_days" {