Merge branch 'main' into migration/20240523

.github/settings.yml

@@ -5,3 +5,6 @@ repository:
   description: ""
   homepage: https://cloudposse.com/accelerate
   topics: security, compliance
+
+
+

.github/workflows/chatops.yml

@@ -8,9 +8,10 @@ permissions:
   pull-requests: write
   id-token: write
   contents: write
+  statuses: write
 
 jobs:
-  terraform-module:
+  test:
     uses: cloudposse/.github/.github/workflows/shared-terraform-chatops.yml@main
-    secrets:
-      github_access_token: ${{ secrets.REPO_ACCESS_TOKEN }}
+    if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/terratest') }}
+    secrets: inherit

examples/complete/main.tf

@@ -158,8 +158,24 @@ module "waf" {
       priority = 40
 
       statement = {
-        limit              = 100
-        aggregate_key_type = "IP"
+        limit                 = 100
+        aggregate_key_type    = "IP"
+        evaluation_window_sec = 300
+        scope_down_statement = {
+          byte_match_statement = {
+            positional_constraint = "STARTS_WITH"
+            search_string         = "example-scope-down-statement"
+            field_to_match = {
+              uri_path = true
+            }
+            text_transformation = [
+              {
+                priority = 40
+                type     = "NONE"
+              }
+            ]
+          }
+        }
       }
 
       visibility_config = {

rules.tf

@@ -88,6 +88,8 @@ locals {
       rule.action,
     ) => rule
   } : {}
+
+  default_custom_response_body_key = var.default_block_custom_response_body_key != null ? contains(keys(var.custom_response_body), var.default_block_custom_response_body_key) ? var.default_block_custom_response_body_key : null : null
 }
 
 resource "aws_wafv2_web_acl" "default" {
@@ -111,7 +113,8 @@ resource "aws_wafv2_web_acl" "default" {
         dynamic "custom_response" {
           for_each = var.default_block_response != null ? [true] : []
           content {
-            response_code = var.default_block_response
+            response_code            = var.default_block_response
+            custom_response_body_key = local.default_custom_response_body_key
           }
         }
       }
@@ -605,7 +608,8 @@ resource "aws_wafv2_web_acl" "default" {
                 dynamic "aws_managed_rules_bot_control_rule_set" {
                   for_each = lookup(managed_rule_group_configs.value, "aws_managed_rules_bot_control_rule_set", null) != null ? [1] : []
                   content {
-                    inspection_level = managed_rule_group_configs.value.aws_managed_rules_bot_control_rule_set.inspection_level
+                    inspection_level        = managed_rule_group_configs.value.aws_managed_rules_bot_control_rule_set.inspection_level
+                    enable_machine_learning = managed_rule_group_configs.value.aws_managed_rules_bot_control_rule_set.enable_machine_learning
                   }
                 }
 
@@ -731,8 +735,9 @@ resource "aws_wafv2_web_acl" "default" {
           for_each = lookup(rule.value, "statement", null) != null ? [rule.value.statement] : []
 
           content {
-            aggregate_key_type = lookup(rate_based_statement.value, "aggregate_key_type", "IP")
-            limit              = rate_based_statement.value.limit
+            aggregate_key_type    = lookup(rate_based_statement.value, "aggregate_key_type", "IP")
+            limit                 = rate_based_statement.value.limit
+            evaluation_window_sec = lookup(rate_based_statement.value, "evaluation_window_sec", 300)
 
             dynamic "forwarded_ip_config" {
               for_each = lookup(rate_based_statement.value, "forwarded_ip_config", null) != null ? [rate_based_statement.value.forwarded_ip_config] : []
@@ -742,6 +747,86 @@ resource "aws_wafv2_web_acl" "default" {
                 header_name       = forwarded_ip_config.value.header_name
               }
             }
+
+            dynamic "scope_down_statement" {
+              for_each = lookup(rate_based_statement.value, "scope_down_statement", null) != null ? [rate_based_statement.value.scope_down_statement] : []
+
+              content {
+                dynamic "byte_match_statement" {
+                  for_each = lookup(scope_down_statement.value, "byte_match_statement", null) != null ? [scope_down_statement.value.byte_match_statement] : []
+
+                  content {
+                    positional_constraint = byte_match_statement.value.positional_constraint
+                    search_string         = byte_match_statement.value.search_string
+
+                    dynamic "field_to_match" {
+                      for_each = lookup(byte_match_statement.value, "field_to_match", null) != null ? [byte_match_statement.value.field_to_match] : []
+
+                      content {
+                        dynamic "all_query_arguments" {
+                          for_each = lookup(field_to_match.value, "all_query_arguments", null) != null ? [1] : []
+
+                          content {}
+                        }
+
+                        dynamic "body" {
+                          for_each = lookup(field_to_match.value, "body", null) != null ? [1] : []
+
+                          content {}
+                        }
+
+                        dynamic "method" {
+                          for_each = lookup(field_to_match.value, "method", null) != null ? [1] : []
+
+                          content {}
+                        }
+
+                        dynamic "query_string" {
+                          for_each = lookup(field_to_match.value, "query_string", null) != null ? [1] : []
+
+                          content {}
+                        }
+
+                        dynamic "single_header" {
+                          for_each = lookup(field_to_match.value, "single_header", null) != null ? [field_to_match.value.single_header] : []
+
+                          content {
+                            name = single_header.value.name
+                          }
+                        }
+
+                        dynamic "single_query_argument" {
+                          for_each = lookup(field_to_match.value, "single_query_argument", null) != null ? [field_to_match.value.single_query_argument] : []
+
+                          content {
+                            name = single_query_argument.value.name
+                          }
+                        }
+
+                        dynamic "uri_path" {
+                          for_each = lookup(field_to_match.value, "uri_path", null) != null ? [1] : []
+
+                          content {}
+                        }
+                      }
+                    }
+
+                    dynamic "text_transformation" {
+                      for_each = lookup(byte_match_statement.value, "text_transformation", null) != null ? [
+                        for rule in byte_match_statement.value.text_transformation : {
+                          priority = rule.priority
+                          type     = rule.type
+                      }] : []
+
+                      content {
+                        priority = text_transformation.value.priority
+                        type     = text_transformation.value.type
+                      }
+                    }
+                  }
+                }
+              }
+            }
           }
         }
       }

variables.tf

@@ -391,7 +391,8 @@ variable "managed_rule_group_statement_rules" {
       })), null)
       managed_rule_group_configs = optional(list(object({
         aws_managed_rules_bot_control_rule_set = optional(object({
-          inspection_level = string
+          inspection_level        = string
+          enable_machine_learning = optional(bool, true)
         }), null)
         aws_managed_rules_atp_rule_set = optional(object({
           enable_regex_in_path = optional(bool)
@@ -500,7 +501,34 @@ variable "rate_based_statement_rules" {
       })
     }), null)
     rule_label = optional(list(string), null)
-    statement  = any
+    statement = object({
+      limit                 = number
+      aggregate_key_type    = string
+      evaluation_window_sec = optional(number)
+      forwarded_ip_config = optional(object({
+        fallback_behavior = string
+        header_name       = string
+      }), null)
+      scope_down_statement = optional(object({
+        byte_match_statement = object({
+          positional_constraint = string
+          search_string         = string
+          field_to_match = object({
+            all_query_arguments   = optional(bool)
+            body                  = optional(bool)
+            method                = optional(bool)
+            query_string          = optional(bool)
+            single_header         = optional(object({ name = string }))
+            single_query_argument = optional(object({ name = string }))
+            uri_path              = optional(bool)
+          })
+          text_transformation = list(object({
+            priority = number
+            type     = string
+          }))
+        })
+      }), null)
+    })
     visibility_config = optional(object({
       cloudwatch_metrics_enabled = optional(bool)
       metric_name                = string
@@ -539,12 +567,28 @@ variable "rate_based_statement_rules" {
          Possible values include: `FORWARDED_IP` or `IP`
       limit:
         The limit on requests per 5-minute period for a single originating IP address.
+      evaluation_window_sec:
+        The amount of time, in seconds, that AWS WAF should include in its request counts, looking back from the current time.
+        Valid values are 60, 120, 300, and 600. Defaults to 300 (5 minutes).
       forwarded_ip_config:
         fallback_behavior:
           The match status to assign to the web request if the request doesn't have a valid IP address in the specified position.
           Possible values: `MATCH`, `NO_MATCH`
         header_name:
           The name of the HTTP header to use for the IP address.
+      byte_match_statement:
+        field_to_match:
+          Part of a web request that you want AWS WAF to inspect.
+        positional_constraint:
+          Area within the portion of a web request that you want AWS WAF to search for search_string. 
+          Valid values include the following: `EXACTLY`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CONTAINS_WORD`.
+        search_string:
+          String value that you want AWS WAF to search for.
+          AWS WAF searches only in the part of web requests that you designate for inspection in `field_to_match`.
+          The maximum length of the value is 50 bytes.
+        text_transformation:
+          Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.
+          See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#text-transformation
 
     visibility_config:
       Defines and enables Amazon CloudWatch metrics and web request sample collection.
@@ -558,6 +602,7 @@ variable "rate_based_statement_rules" {
   DOC
 }
 
+
 variable "regex_pattern_set_reference_statement_rules" {
   type = list(object({
     name     = string
@@ -1047,3 +1092,14 @@ variable "default_block_response" {
   DOC
   nullable    = true
 }
+
+variable "default_block_custom_response_body_key" {
+  type        = string
+  default     = null
+  description = <<-DOC
+    References the default response body that you want AWS WAF to return to the web request client.
+    This must reference a key defined in a custom_response_body block of this resource.
+    Only takes effect if default_action is set to `block`.
+  DOC
+  nullable    = true
+}