Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update exclude_rule for Deprecations, Add Custom Response Body, Allow oversize_handling Option #30

Closed
wants to merge 14 commits into from
Closed

Update exclude_rule for Deprecations, Add Custom Response Body, Allow oversize_handling Option #30

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
7ec83e8
added allowed rules as an option for managed_rule_group_statement_rules
milldr Mar 17, 2023
6bbd951
added allowed rules as an option for managed_rule_group_statement_rules
milldr Mar 17, 2023
f66691a
Updated README.md
actions-bot Mar 30, 2023
6195df5
Merge branch 'master' into allowed_managed_rules
milldr Mar 30, 2023
491d741
corrected excluded_rule instead of adding alternative, added custom r…
milldr Mar 30, 2023
5a029e7
Merge branch 'allowed_managed_rules' of github.com:cloudposse/terrafo…
milldr Mar 30, 2023
b199d2f
Auto Format
cloudpossebot Mar 30, 2023
db190a9
support rule actions with excluded rules
milldr Mar 30, 2023
31aaef8
Merge branch 'allowed_managed_rules' of github.com:cloudposse/terrafo…
milldr Mar 30, 2023
8ffa0a6
Auto Format
cloudpossebot Mar 30, 2023
2c42569
corrected example
milldr Mar 30, 2023
b517567
Merge branch 'allowed_managed_rules' of github.com:cloudposse/terrafo…
milldr Mar 30, 2023
30194f9
Merge branch 'main' into allowed_managed_rules
max-lobur Jun 21, 2023
48b3a53
Support AWS Provider V5
max-lobur Jun 21, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .github/workflows/release-branch.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ on:
- 'docs/**'
- 'examples/**'
- 'test/**'
- 'README.*'

permissions:
contents: write
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/release-published.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,4 +11,4 @@ permissions:

jobs:
terraform-module:
uses: cloudposse/github-actions-workflows-terraform-module/.github/workflows/release.yml@main
uses: cloudposse/github-actions-workflows-terraform-module/.github/workflows/release-published.yml@main
7 changes: 4 additions & 3 deletions README.md
View file
Open in desktop

Large diffs are not rendered by default.

7 changes: 4 additions & 3 deletions docs/terraform.md
View file
Open in desktop

Large diffs are not rendered by default.

17 changes: 13 additions & 4 deletions examples/complete/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,10 +48,12 @@ module "waf" {
name = "AWSManagedRulesCommonRuleSet"
vendor_name = "AWS"

excluded_rule = [
"SizeRestrictions_QUERYSTRING",
"NoUserAgent_HEADER"
]
excluded_rule = {
"SizeRestrictions_QUERYSTRING" = {},
"NoUserAgent_HEADER" = {
action = "block"
}
}
}

visibility_config = {
Expand Down Expand Up @@ -207,5 +209,12 @@ module "waf" {
}
]

custom_response_bodies = {
"foobar" = {
content = "this is custom response"
content_type = "TEXT_PLAIN"
}
}

context = module.this.context
}
2 changes: 1 addition & 1 deletion examples/complete/versions.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
terraform {
required_version = ">= 1.2.4"
required_version = ">= 1.3"

required_providers {
aws = {
Expand Down
4 changes: 2 additions & 2 deletions main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,14 +2,14 @@ resource "aws_wafv2_web_acl_association" "default" {
count = module.this.enabled && length(var.association_resource_arns) > 0 ? length(var.association_resource_arns) : 0

resource_arn = var.association_resource_arns[count.index]
web_acl_arn = join("", aws_wafv2_web_acl.default.*.arn)
web_acl_arn = join("", aws_wafv2_web_acl.default[*].arn)
}

resource "aws_wafv2_web_acl_logging_configuration" "default" {
count = module.this.enabled && length(var.log_destination_configs) > 0 ? 1 : 0

log_destination_configs = var.log_destination_configs
resource_arn = join("", aws_wafv2_web_acl.default.*.arn)
resource_arn = join("", aws_wafv2_web_acl.default[*].arn)

dynamic "redacted_fields" {
for_each = var.redacted_fields
Expand Down
8 changes: 4 additions & 4 deletions outputs.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,19 +1,19 @@
output "id" {
description = "The ID of the WAF WebACL."
value = join("", aws_wafv2_web_acl.default.*.id)
value = join("", aws_wafv2_web_acl.default[*].id)
}

output "arn" {
description = "The ARN of the WAF WebACL."
value = join("", aws_wafv2_web_acl.default.*.arn)
value = join("", aws_wafv2_web_acl.default[*].arn)
}

output "capacity" {
description = "The web ACL capacity units (WCUs) currently being used by this web ACL."
value = join("", aws_wafv2_web_acl.default.*.capacity)
value = join("", aws_wafv2_web_acl.default[*].capacity)
}

output "logging_config_id" {
description = "The ARN of the WAFv2 Web ACL logging configuration."
value = join("", aws_wafv2_web_acl_logging_configuration.default.*.id)
value = join("", aws_wafv2_web_acl_logging_configuration.default[*].id)
}
64 changes: 57 additions & 7 deletions rules.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,8 @@ locals {
rule.action,
) => rule
} : {}

custom_response_bodies = module.this.enabled && var.custom_response_bodies != null ? var.custom_response_bodies : {}
}

resource "aws_wafv2_web_acl" "default" {
Expand Down Expand Up @@ -361,11 +363,29 @@ resource "aws_wafv2_web_acl" "default" {
name = managed_rule_group_statement.value.name
vendor_name = managed_rule_group_statement.value.vendor_name

dynamic "excluded_rule" {
for_each = lookup(managed_rule_group_statement.value, "excluded_rule", null) != null ? toset(managed_rule_group_statement.value.excluded_rule) : []
dynamic "rule_action_override" {
for_each = lookup(managed_rule_group_statement.value, "excluded_rule", null) != null ? managed_rule_group_statement.value.excluded_rule : {}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
for_each = lookup(managed_rule_group_statement.value, "excluded_rule", null) != null ? managed_rule_group_statement.value.excluded_rule : {}
for_each = lookup(managed_rule_group_statement.value, "rule_action_override", null) != null ? managed_rule_group_statement.value. rule_action_override : {}


content {
name = excluded_rule.value
name = rule_action_override.key
action_to_use {
dynamic "allow" {
for_each = rule_action_override.value.action == "allow" ? [1] : []
content {}
}
dynamic "block" {
for_each = rule_action_override.value.action == "block" ? [1] : []
content {}
}
dynamic "count" {
for_each = rule_action_override.value.action == "count" ? [1] : []
content {}
}
dynamic "captcha" {
for_each = rule_action_override.value.action == "captcha" ? [1] : []
content {}
}
}
}
}
}
Expand Down Expand Up @@ -576,11 +596,29 @@ resource "aws_wafv2_web_acl" "default" {
content {
arn = rule_group_reference_statement.value.arn

dynamic "excluded_rule" {
for_each = lookup(rule_group_reference_statement.value, "excluded_rule", null) != null ? toset(rule_group_reference_statement.value.excluded_rule) : []
dynamic "rule_action_override" {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

leave excluded_rule as is to prevent breaking change, and instead add new option for rule_action_override

for_each = lookup(rule_group_reference_statement.value, "excluded_rule", null) != null ? rule_group_reference_statement.value.excluded_rule : {}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
for_each = lookup(rule_group_reference_statement.value, "excluded_rule", null) != null ? rule_group_reference_statement.value.excluded_rule : {}
for_each = lookup(rule_group_reference_statement.value, "rule_action_override", null) != null ? rule_group_reference_statement.value. rule_action_override : {}


content {
name = excluded_rule.value
name = rule_action_override.key
action_to_use {
dynamic "allow" {
for_each = rule_action_override.value.action == "allow" ? [1] : []
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fails tests with "action" missing attribute in a map

content {}
}
dynamic "block" {
for_each = rule_action_override.value.action == "block" ? [1] : []
content {}
}
dynamic "count" {
for_each = rule_action_override.value.action == "count" ? [1] : []
content {}
}
dynamic "captcha" {
for_each = rule_action_override.value.action == "captcha" ? [1] : []
content {}
}
}
}
}
}
Expand Down Expand Up @@ -645,7 +683,9 @@ resource "aws_wafv2_web_acl" "default" {
dynamic "body" {
for_each = lookup(field_to_match.value, "body", null) != null ? [1] : []

content {}
content {
oversize_handling = try(field_to_match.value.body.oversize_handling, null)
}
}

dynamic "method" {
Expand Down Expand Up @@ -934,5 +974,15 @@ resource "aws_wafv2_web_acl" "default" {
}
}
}

# Attach a list of custom response bodies to the web ACL
dynamic "custom_response_body" {
for_each = local.custom_response_bodies
content {
key = custom_response_body.key
content = custom_response_body.value.content
content_type = custom_response_body.value.content_type
}
}
}

23 changes: 21 additions & 2 deletions variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -178,7 +178,7 @@ variable "managed_rule_group_statement_rules" {
vendor_name:
The name of the managed rule group vendor.
excluded_rule:
The list of names of the rules to exclude.
The map rules to exclude with the action to take.

visibility_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.
Expand Down Expand Up @@ -291,7 +291,7 @@ variable "rule_group_reference_statement_rules" {
arn:
The ARN of the `aws_wafv2_rule_group` resource.
excluded_rule:
The list of names of the rules to exclude.
The map rules to exclude with the action to take.

visibility_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.
Expand Down Expand Up @@ -451,3 +451,22 @@ variable "redacted_fields" {
The list of names of the query headers to redact.
DOC
}

variable "custom_response_bodies" {
type = map(object({
content = string
content_type = string
}))
description = <<-DOC
A map of the custom response bodies to include with the WAF ACL.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#custom-response

key:
The name of the custom response.
content:
The custom response body.
content_type:
The content type of the custom response.
DOC
default = {}
}
2 changes: 1 addition & 1 deletion versions.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
terraform {
required_version = ">= 1.2.4"
required_version = ">= 1.3"

required_providers {
aws = {
Expand Down