Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update exclude_rule for Deprecations, Add Custom Response Body, Allow oversize_handling Option #30

Closed
wants to merge 14 commits into from
Closed

Update exclude_rule for Deprecations, Add Custom Response Body, Allow oversize_handling Option #30

wants to merge 14 commits into from

Conversation

milldr
Copy link
Member

@milldr milldr commented Mar 17, 2023
edited by max-lobur
Loading

BREAKING CHANGE This change changes the variable for excluded_rule in both managed_rule_group_statement_rules and rule_group_reference_statement_rules

what

  • Updated exclude_rule option for managed_rule_group_statement_rules
  • Add option for Custom Response Body
  • Add option for oversize_handing for size_constraint_statement_rules
  • Ensure AWS V5 Support

why

  1. excluded_rule is deprecated and instead we should be using rule_action_override

excluded_rule - (Optional, Deprecated) The rules whose actions are set to COUNT by the web ACL, regardless of the action that is set on the rule. See excluded_rule below for details. Use rule_action_override instead. (See the documentation)

  1. Custom Response Body is supported by Terraform, and we should include it with this module
  2. oversize_handling defaults to CONTINUE. We want to set this as an option

references

@milldr milldr requested review from a team as code owners March 17, 2023 21:42
@milldr milldr requested review from jamengual and joe-niland March 17, 2023 21:42
@milldr
Copy link
Member Author

milldr commented Mar 17, 2023

/test all

bridgecrew[bot]
bridgecrew bot reviewed Mar 17, 2023
View reviewed changes
Copy link

@bridgecrew bridgecrew bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bridgecrew has found errors in this PR ⬇️

bridgecrew[bot]
bridgecrew bot reviewed Mar 17, 2023
View reviewed changes
@milldr
Copy link
Member Author

milldr commented Mar 30, 2023

/rebuild-readme

@milldr
Copy link
Member Author

milldr commented Mar 30, 2023

/test all

@milldr milldr changed the title Support action_to_use allow with Managed Rule Group Statement Rules Update exclude_rule for Deprecations, Add Custom Response Body, Allow oversize_handling Option Mar 30, 2023
bridgecrew[bot]
bridgecrew bot reviewed Mar 30, 2023
View reviewed changes
bridgecrew[bot]
bridgecrew bot reviewed Mar 30, 2023
View reviewed changes
@milldr
Copy link
Member Author

milldr commented Mar 30, 2023

/test all

bridgecrew[bot]
bridgecrew bot reviewed Mar 30, 2023
View reviewed changes
milldr
milldr commented Mar 31, 2023
View reviewed changes
rules.tf
@@ -576,11 +596,29 @@ resource "aws_wafv2_web_acl" "default" {
content {
arn = rule_group_reference_statement.value.arn

dynamic "excluded_rule" {
for_each = lookup(rule_group_reference_statement.value, "excluded_rule", null) != null ? toset(rule_group_reference_statement.value.excluded_rule) : []
dynamic "rule_action_override" {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

leave excluded_rule as is to prevent breaking change, and instead add new option for rule_action_override

max-lobur
max-lobur previously approved these changes Jun 21, 2023
View reviewed changes
bridgecrew[bot]
bridgecrew bot reviewed Jun 21, 2023
View reviewed changes
@max-lobur
Copy link
Contributor

/terratest

@max-lobur max-lobur mentioned this pull request Jun 21, 2023
Closed
@max-lobur max-lobur added the major Breaking changes (or first stable release) label Jun 21, 2023
max-lobur
max-lobur reviewed Jun 21, 2023
View reviewed changes
rules.tf
name = rule_action_override.key
action_to_use {
dynamic "allow" {
for_each = rule_action_override.value.action == "allow" ? [1] : []
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fails tests with "action" missing attribute in a map

aknysh
aknysh reviewed Jul 6, 2023
View reviewed changes
rules.tf
dynamic "excluded_rule" {
for_each = lookup(managed_rule_group_statement.value, "excluded_rule", null) != null ? toset(managed_rule_group_statement.value.excluded_rule) : []
dynamic "rule_action_override" {
for_each = lookup(managed_rule_group_statement.value, "excluded_rule", null) != null ? managed_rule_group_statement.value.excluded_rule : {}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
for_each = lookup(managed_rule_group_statement.value, "excluded_rule", null) != null ? managed_rule_group_statement.value.excluded_rule : {}
for_each = lookup(managed_rule_group_statement.value, "rule_action_override", null) != null ? managed_rule_group_statement.value. rule_action_override : {}

aknysh
aknysh reviewed Jul 6, 2023
View reviewed changes
rules.tf
dynamic "excluded_rule" {
for_each = lookup(rule_group_reference_statement.value, "excluded_rule", null) != null ? toset(rule_group_reference_statement.value.excluded_rule) : []
dynamic "rule_action_override" {
for_each = lookup(rule_group_reference_statement.value, "excluded_rule", null) != null ? rule_group_reference_statement.value.excluded_rule : {}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
for_each = lookup(rule_group_reference_statement.value, "excluded_rule", null) != null ? rule_group_reference_statement.value.excluded_rule : {}
for_each = lookup(rule_group_reference_statement.value, "rule_action_override", null) != null ? rule_group_reference_statement.value. rule_action_override : {}

@aknysh aknysh mentioned this pull request Jul 11, 2023
Merged
@aknysh aknysh closed this in #45 Jul 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@max-lobur max-lobur max-lobur left review comments

@aknysh aknysh aknysh left review comments

@bridgecrew bridgecrew[bot] bridgecrew[bot] left review comments

@jamengual jamengual Awaiting requested review from jamengual jamengual is a code owner automatically assigned from cloudposse/contributors

@joe-niland joe-niland Awaiting requested review from joe-niland joe-niland is a code owner automatically assigned from cloudposse/contributors

Assignees
No one assigned
Labels
major Breaking changes (or first stable release)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@milldr @max-lobur @aknysh @actions-bot @cloudpossebot