From 9426a8b96d6a1410a76c74437ffcc805e73e0754 Mon Sep 17 00:00:00 2001 From: gdemarcsek Date: Thu, 18 Jan 2024 15:27:23 +0100 Subject: [PATCH 1/5] add support for challenge_config attribute in wafv2_web_acl --- internal/service/wafv2/flex.go | 43 ++++++++++++++++++++++++++ internal/service/wafv2/web_acl.go | 6 ++++ internal/service/wafv2/web_acl_test.go | 7 +++++ 3 files changed, 56 insertions(+) diff --git a/internal/service/wafv2/flex.go b/internal/service/wafv2/flex.go index ed64fead136f..7688975bafb6 100644 --- a/internal/service/wafv2/flex.go +++ b/internal/service/wafv2/flex.go @@ -74,6 +74,32 @@ func expandCaptchaConfig(l []interface{}) *wafv2.CaptchaConfig { return configuration } +func expandChallengeConfig(l []interface{}) *wafv2.ChallengeConfig { + configuration := &wafv2.ChallengeConfig{} + + if len(l) == 0 || l[0] == nil { + return configuration + } + + m := l[0].(map[string]interface{}) + if v, ok := m["immunity_time_property"]; ok { + inner := v.([]interface{}) + if len(inner) == 0 || inner[0] == nil { + return configuration + } + + m = inner[0].(map[string]interface{}) + + if v, ok := m["immunity_time"]; ok { + configuration.ImmunityTimeProperty = &wafv2.ImmunityTimeProperty{ + ImmunityTime: aws.Int64(int64(v.(int))), + } + } + } + + return configuration +} + func expandAssociationConfig(l []interface{}) *wafv2.AssociationConfig { if len(l) == 0 || l[0] == nil { return nil @@ -1655,6 +1681,23 @@ func flattenCaptchaConfig(config *wafv2.CaptchaConfig) interface{} { return []interface{}{m} } +func flattenChallengeConfig(config *wafv2.ChallengeConfig) interface{} { + if config == nil { + return []interface{}{} + } + if config.ImmunityTimeProperty == nil { + return []interface{}{} + } + + m := map[string]interface{}{ + "immunity_time_property": []interface{}{map[string]interface{}{ + "immunity_time": aws.Int64Value(config.ImmunityTimeProperty.ImmunityTime), + }}, + } + + return []interface{}{m} +} + func flattenAssociationConfig(config *wafv2.AssociationConfig) interface{} { associationConfig := []interface{}{} if config == nil { diff --git a/internal/service/wafv2/web_acl.go b/internal/service/wafv2/web_acl.go index 41f4911602f5..7ad5dd347fe2 100644 --- a/internal/service/wafv2/web_acl.go +++ b/internal/service/wafv2/web_acl.go @@ -69,6 +69,7 @@ func ResourceWebACL() *schema.Resource { Computed: true, }, "captcha_config": outerCaptchaConfigSchema(), + "challenge_config": outerCaptchaConfigSchema(), "custom_response_body": customResponseBodySchema(), "default_action": { Type: schema.TypeList, @@ -179,6 +180,7 @@ func resourceWebACLCreate(ctx context.Context, d *schema.ResourceData, meta inte input := &wafv2.CreateWebACLInput{ AssociationConfig: expandAssociationConfig(d.Get("association_config").([]interface{})), CaptchaConfig: expandCaptchaConfig(d.Get("captcha_config").([]interface{})), + ChallengeConfig: expandChallengeConfig(d.Get("challenge_config").([]interface{})), DefaultAction: expandDefaultAction(d.Get("default_action").([]interface{})), Name: aws.String(name), Rules: expandWebACLRules(d.Get("rule").(*schema.Set).List()), @@ -239,6 +241,9 @@ func resourceWebACLRead(ctx context.Context, d *schema.ResourceData, meta interf if err := d.Set("captcha_config", flattenCaptchaConfig(webACL.CaptchaConfig)); err != nil { return diag.Errorf("setting captcha_config: %s", err) } + if err := d.Set("challenge_config", flattenChallengeConfig(webACL.ChallengeConfig)); err != nil { + return diag.Errorf("setting challenge_config: %s", err) + } if err := d.Set("custom_response_body", flattenCustomResponseBodies(webACL.CustomResponseBodies)); err != nil { return diag.Errorf("setting custom_response_body: %s", err) } @@ -282,6 +287,7 @@ func resourceWebACLUpdate(ctx context.Context, d *schema.ResourceData, meta inte input := &wafv2.UpdateWebACLInput{ AssociationConfig: expandAssociationConfig(d.Get("association_config").([]interface{})), CaptchaConfig: expandCaptchaConfig(d.Get("captcha_config").([]interface{})), + ChallengeConfig: expandChallengeConfig(d.Get("challenge_config").([]interface{})), DefaultAction: expandDefaultAction(d.Get("default_action").([]interface{})), Id: aws.String(aclID), LockToken: aws.String(aclLockToken), diff --git a/internal/service/wafv2/web_acl_test.go b/internal/service/wafv2/web_acl_test.go index ae394f97c5f6..f0ae2f896c90 100644 --- a/internal/service/wafv2/web_acl_test.go +++ b/internal/service/wafv2/web_acl_test.go @@ -2441,6 +2441,7 @@ func TestAccWAFV2WebACL_Custom_requestHandling(t *testing.T) { resource.TestCheckResourceAttr(resourceName, "visibility_config.0.sampled_requests_enabled", "false"), resource.TestCheckResourceAttr(resourceName, "captcha_config.#", "1"), resource.TestCheckResourceAttr(resourceName, "captcha_config.0.immunity_time_property.0.immunity_time", "120"), + resource.TestCheckResourceAttr(resourceName, "challenge_config.0.immunity_time_property.0.immunity_time", "300"), ), }, { @@ -3572,6 +3573,12 @@ resource "aws_wafv2_web_acl" "test" { immunity_time = 120 } } + + challenge_config { + immunity_time_property { + immunity_time = 300 + } + } } `, rName, firstHeader, secondHeader) } From e9cad49c507d8fe4b4048cf16a30f85752c1cb2d Mon Sep 17 00:00:00 2001 From: gdemarcsek Date: Thu, 18 Jan 2024 15:27:33 +0100 Subject: [PATCH 2/5] update docs --- website/docs/r/wafv2_web_acl.html.markdown | 2 ++ 1 file changed, 2 insertions(+) diff --git a/website/docs/r/wafv2_web_acl.html.markdown b/website/docs/r/wafv2_web_acl.html.markdown index 65f0ac567c56..708838a15634 100644 --- a/website/docs/r/wafv2_web_acl.html.markdown +++ b/website/docs/r/wafv2_web_acl.html.markdown @@ -422,6 +422,8 @@ resource "aws_wafv2_web_acl" "test" { This resource supports the following arguments: * `association_config` - (Optional) Specifies custom configurations for the associations between the web ACL and protected resources. See [`association_config`](#association_config-block) below for details. +* `captcha_config` - (Optional) Specifies how AWS WAF should handle CAPTCHA evaluations on the ACL level (used by [AWS Bot Control](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-bot.html)). See [`captcha_config`](#captcha_config-block) below for details. +* `challenge_config` - (Optional) Specifies how AWS WAF should handle Challenge evaluations on the ACL level (used by [AWS Bot Control](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-bot.html)). See [`captcha_config`](#captcha_config-block) below for details. * `custom_response_body` - (Optional) Defines custom response bodies that can be referenced by `custom_response` actions. See [`custom_response_body`](#custom_response_body-block) below for details. * `default_action` - (Required) Action to perform if none of the `rules` contained in the WebACL match. See [`default_action`](#default_action-block) below for details. * `description` - (Optional) Friendly description of the WebACL. From 5e6f141a210518dd4de9202eb65cf5e80d8a4d2f Mon Sep 17 00:00:00 2001 From: gdemarcsek Date: Thu, 18 Jan 2024 15:43:46 +0100 Subject: [PATCH 3/5] add changelog entry --- .changelog/35367.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 .changelog/35367.txt diff --git a/.changelog/35367.txt b/.changelog/35367.txt new file mode 100644 index 000000000000..776c5874313a --- /dev/null +++ b/.changelog/35367.txt @@ -0,0 +1,3 @@ +```release-note:enhancement +resource/aws_wafv2_web_acl: Add `challenge_config` argument +``` From b6a9cd7c1967f1d589ad5bd9891a832e444885f7 Mon Sep 17 00:00:00 2001 From: gdemarcsek Date: Wed, 24 Jan 2024 15:20:22 +0100 Subject: [PATCH 4/5] fix acceptance test linter issue --- internal/service/wafv2/web_acl_test.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/internal/service/wafv2/web_acl_test.go b/internal/service/wafv2/web_acl_test.go index f0ae2f896c90..9ca146e3a7f5 100644 --- a/internal/service/wafv2/web_acl_test.go +++ b/internal/service/wafv2/web_acl_test.go @@ -3575,9 +3575,9 @@ resource "aws_wafv2_web_acl" "test" { } challenge_config { - immunity_time_property { - immunity_time = 300 - } + immunity_time_property { + immunity_time = 300 + } } } `, rName, firstHeader, secondHeader) From b7eca7f7fc488f7748d0b8c214bdff8fddabc1ea Mon Sep 17 00:00:00 2001 From: Kit Ewbank Date: Wed, 24 Jan 2024 11:04:59 -0500 Subject: [PATCH 5/5] r/aws_wafv2_web_acl: 'challenge_config' has its own schema. --- internal/service/wafv2/schemas.go | 25 ++++++++++++++++++++++ internal/service/wafv2/web_acl.go | 2 +- internal/service/wafv2/web_acl_test.go | 1 + website/docs/r/wafv2_web_acl.html.markdown | 8 ++++++- 4 files changed, 34 insertions(+), 2 deletions(-) diff --git a/internal/service/wafv2/schemas.go b/internal/service/wafv2/schemas.go index ec60542b3455..be83500840a1 100644 --- a/internal/service/wafv2/schemas.go +++ b/internal/service/wafv2/schemas.go @@ -618,6 +618,31 @@ func challengeConfigSchema() *schema.Schema { } } +func outerChallengeConfigSchema() *schema.Schema { + return &schema.Schema{ + Type: schema.TypeList, + Optional: true, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "immunity_time_property": { + Type: schema.TypeList, + Optional: true, + MaxItems: 1, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "immunity_time": { + Type: schema.TypeInt, + Optional: true, + }, + }, + }, + }, + }, + }, + } +} + func countConfigSchema() *schema.Schema { return &schema.Schema{ Type: schema.TypeList, diff --git a/internal/service/wafv2/web_acl.go b/internal/service/wafv2/web_acl.go index 7ad5dd347fe2..0b2155da157e 100644 --- a/internal/service/wafv2/web_acl.go +++ b/internal/service/wafv2/web_acl.go @@ -69,7 +69,7 @@ func ResourceWebACL() *schema.Resource { Computed: true, }, "captcha_config": outerCaptchaConfigSchema(), - "challenge_config": outerCaptchaConfigSchema(), + "challenge_config": outerChallengeConfigSchema(), "custom_response_body": customResponseBodySchema(), "default_action": { Type: schema.TypeList, diff --git a/internal/service/wafv2/web_acl_test.go b/internal/service/wafv2/web_acl_test.go index 9ca146e3a7f5..e16534cd2618 100644 --- a/internal/service/wafv2/web_acl_test.go +++ b/internal/service/wafv2/web_acl_test.go @@ -52,6 +52,7 @@ func TestAccWAFV2WebACL_basic(t *testing.T) { acctest.MatchResourceAttrRegionalARN(resourceName, "arn", "wafv2", regexache.MustCompile(`regional/webacl/.+$`)), resource.TestCheckResourceAttr(resourceName, "association_config.#", "0"), resource.TestCheckResourceAttr(resourceName, "captcha_config.#", "0"), + resource.TestCheckResourceAttr(resourceName, "challenge_config.#", "0"), resource.TestCheckResourceAttr(resourceName, "default_action.#", "1"), resource.TestCheckResourceAttr(resourceName, "default_action.0.allow.#", "1"), resource.TestCheckResourceAttr(resourceName, "default_action.0.block.#", "0"), diff --git a/website/docs/r/wafv2_web_acl.html.markdown b/website/docs/r/wafv2_web_acl.html.markdown index 708838a15634..b951cd06d471 100644 --- a/website/docs/r/wafv2_web_acl.html.markdown +++ b/website/docs/r/wafv2_web_acl.html.markdown @@ -423,7 +423,7 @@ This resource supports the following arguments: * `association_config` - (Optional) Specifies custom configurations for the associations between the web ACL and protected resources. See [`association_config`](#association_config-block) below for details. * `captcha_config` - (Optional) Specifies how AWS WAF should handle CAPTCHA evaluations on the ACL level (used by [AWS Bot Control](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-bot.html)). See [`captcha_config`](#captcha_config-block) below for details. -* `challenge_config` - (Optional) Specifies how AWS WAF should handle Challenge evaluations on the ACL level (used by [AWS Bot Control](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-bot.html)). See [`captcha_config`](#captcha_config-block) below for details. +* `challenge_config` - (Optional) Specifies how AWS WAF should handle Challenge evaluations on the ACL level (used by [AWS Bot Control](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-bot.html)). See [`challenge_config`](#challenge_config-block) below for details. * `custom_response_body` - (Optional) Defines custom response bodies that can be referenced by `custom_response` actions. See [`custom_response_body`](#custom_response_body-block) below for details. * `default_action` - (Required) Action to perform if none of the `rules` contained in the WebACL match. See [`default_action`](#default_action-block) below for details. * `description` - (Optional) Friendly description of the WebACL. @@ -930,6 +930,12 @@ The `captcha_config` block supports the following arguments: * `immunity_time_property` - (Optional) Defines custom immunity time. See [`immunity_time_property`](#immunity_time_property-block) below for details. +### `challenge_config` Block + +The `challenge_config` block supports the following arguments: + +* `immunity_time_property` - (Optional) Defines custom immunity time. See [`immunity_time_property`](#immunity_time_property-block) below for details. + ### `immunity_time_property` Block The `immunity_time_property` block supports the following arguments: