Add scope_down_statement Support (#87)

* feat: add initial scope down statement * feat: support scope down byte matching * update docs * update text transformation Co-authored-by: Andriy Knysh <[email protected]> * update docs --------- Co-authored-by: Andriy Knysh <[email protected]>
cloudposse · Jun 26, 2024 · f4f8031 · f4f8031
1 parent eb8dc41
commit f4f8031
Show file tree

Hide file tree

Showing 4 changed files with 99 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -201,7 +201,7 @@ Available targets:
 | <a name="input_managed_rule_group_statement_rules"></a> [managed\_rule\_group\_statement\_rules](#input\_managed\_rule\_group\_statement\_rules) | A rule statement used to run the rules that are defined in a managed rule group.<br><br>name:<br>  A friendly name of the rule.<br>priority:<br>  If you define more than one Rule in a WebACL,<br>  AWS WAF evaluates each request against the rules in order based on the value of priority.<br>  AWS WAF processes rules with lower priority first.<br><br>override\_action:<br>  The override action to apply to the rules in a rule group.<br>  Possible values: `count`, `none`<br><br>captcha\_config:<br> Specifies how AWS WAF should handle CAPTCHA evaluations.<br><br> immunity\_time\_property:<br>   Defines custom immunity time.<br><br>   immunity\_time:<br>   The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.<br><br>rule\_label:<br>   A List of labels to apply to web requests that match the rule match statement<br><br>statement:<br>  name:<br>    The name of the managed rule group.<br>  vendor\_name:<br>    The name of the managed rule group vendor.<br>  version:<br>    The version of the managed rule group.<br>    You can set `Version_1.0` or `Version_1.1` etc. If you want to use the default version, do not set anything.<br>  rule\_action\_override:<br>    Action settings to use in the place of the rule actions that are configured inside the rule group.<br>    You specify one override for each rule whose action you want to change.<br>  managed\_rule\_group\_configs:<br>    Additional information that's used by a managed rule group. Only one rule attribute is allowed in each config.<br>    Refer to https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html for more details.<br><br>visibility\_config:<br>  Defines and enables Amazon CloudWatch metrics and web request sample collection.<br><br>  cloudwatch\_metrics\_enabled:<br>    Whether the associated resource sends metrics to CloudWatch.<br>  metric\_name:<br>    A friendly name of the CloudWatch metric.<br>  sampled\_requests\_enabled:<br>    Whether AWS WAF should store a sampling of the web requests that match the rules. | <pre>list(object({<br>    name            = string<br>    priority        = number<br>    override_action = optional(string)<br>    captcha_config = optional(object({<br>      immunity_time_property = object({<br>        immunity_time = number<br>      })<br>    }), null)<br>    rule_label = optional(list(string), null)<br>    statement = object({<br>      name        = string<br>      vendor_name = string<br>      version     = optional(string)<br>      rule_action_override = optional(map(object({<br>        action = string<br>        custom_request_handling = optional(object({<br>          insert_header = object({<br>            name  = string<br>            value = string<br>          })<br>        }), null)<br>        custom_response = optional(object({<br>          response_code = string<br>          response_header = optional(object({<br>            name  = string<br>            value = string<br>          }), null)<br>        }), null)<br>      })), null)<br>      managed_rule_group_configs = optional(list(object({<br>        aws_managed_rules_bot_control_rule_set = optional(object({<br>          inspection_level = string<br>        }), null)<br>        aws_managed_rules_atp_rule_set = optional(object({<br>          enable_regex_in_path = optional(bool)<br>          login_path           = string<br>          request_inspection = optional(object({<br>            payload_type = string<br>            password_field = object({<br>              identifier = string<br>            })<br>            username_field = object({<br>              identifier = string<br>            })<br>          }), null)<br>          response_inspection = optional(object({<br>            body_contains = optional(object({<br>              success_strings = list(string)<br>              failure_strings = list(string)<br>            }), null)<br>            header = optional(object({<br>              name           = string<br>              success_values = list(string)<br>              failure_values = list(string)<br>            }), null)<br>            json = optional(object({<br><br>              identifier      = string<br>              success_strings = list(string)<br>              failure_strings = list(string)<br>            }), null)<br>            status_code = optional(object({<br>              success_codes = list(string)<br>              failure_codes = list(string)<br>            }), null)<br>          }), null)<br>        }), null)<br>      })), null)<br>    })<br>    visibility_config = optional(object({<br>      cloudwatch_metrics_enabled = optional(bool)<br>      metric_name                = string<br>      sampled_requests_enabled   = optional(bool)<br>    }), null)<br>  }))</pre> | `null` | no |
 | <a name="input_name"></a> [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.<br>This is the only ID element not also included as a `tag`.<br>The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no |
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no |
-| <a name="input_rate_based_statement_rules"></a> [rate\_based\_statement\_rules](#input\_rate\_based\_statement\_rules) | A rate-based rule tracks the rate of requests for each originating IP address,<br>and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span.<br><br>action:<br>  The action that AWS WAF should take on a web request when it matches the rule's statement.<br>name:<br>  A friendly name of the rule.<br>priority:<br>  If you define more than one Rule in a WebACL,<br>  AWS WAF evaluates each request against the rules in order based on the value of priority.<br>  AWS WAF processes rules with lower priority first.<br><br>captcha\_config:<br> Specifies how AWS WAF should handle CAPTCHA evaluations.<br><br> immunity\_time\_property:<br>   Defines custom immunity time.<br><br>   immunity\_time:<br>   The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.<br><br>rule\_label:<br>   A List of labels to apply to web requests that match the rule match statement<br><br>statement:<br>  aggregate\_key\_type:<br>     Setting that indicates how to aggregate the request counts.<br>     Possible values include: `FORWARDED_IP` or `IP`<br>  limit:<br>    The limit on requests per 5-minute period for a single originating IP address.<br>  forwarded\_ip\_config:<br>    fallback\_behavior:<br>      The match status to assign to the web request if the request doesn't have a valid IP address in the specified position.<br>      Possible values: `MATCH`, `NO_MATCH`<br>    header\_name:<br>      The name of the HTTP header to use for the IP address.<br><br>visibility\_config:<br>  Defines and enables Amazon CloudWatch metrics and web request sample collection.<br><br>  cloudwatch\_metrics\_enabled:<br>    Whether the associated resource sends metrics to CloudWatch.<br>  metric\_name:<br>    A friendly name of the CloudWatch metric.<br>  sampled\_requests\_enabled:<br>    Whether AWS WAF should store a sampling of the web requests that match the rules. | <pre>list(object({<br>    name     = string<br>    priority = number<br>    action   = string<br>    captcha_config = optional(object({<br>      immunity_time_property = object({<br>        immunity_time = number<br>      })<br>    }), null)<br>    rule_label = optional(list(string), null)<br>    statement  = any<br>    visibility_config = optional(object({<br>      cloudwatch_metrics_enabled = optional(bool)<br>      metric_name                = string<br>      sampled_requests_enabled   = optional(bool)<br>    }), null)<br>  }))</pre> | `null` | no |
+| <a name="input_rate_based_statement_rules"></a> [rate\_based\_statement\_rules](#input\_rate\_based\_statement\_rules) | A rate-based rule tracks the rate of requests for each originating IP address,<br>and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span.<br><br>action:<br>  The action that AWS WAF should take on a web request when it matches the rule's statement.<br>name:<br>  A friendly name of the rule.<br>priority:<br>  If you define more than one Rule in a WebACL,<br>  AWS WAF evaluates each request against the rules in order based on the value of priority.<br>  AWS WAF processes rules with lower priority first.<br><br>captcha\_config:<br> Specifies how AWS WAF should handle CAPTCHA evaluations.<br><br> immunity\_time\_property:<br>   Defines custom immunity time.<br><br>   immunity\_time:<br>   The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.<br><br>rule\_label:<br>   A List of labels to apply to web requests that match the rule match statement<br><br>statement:<br>  aggregate\_key\_type:<br>     Setting that indicates how to aggregate the request counts.<br>     Possible values include: `FORWARDED_IP` or `IP`<br>  limit:<br>    The limit on requests per 5-minute period for a single originating IP address.<br>  forwarded\_ip\_config:<br>    fallback\_behavior:<br>      The match status to assign to the web request if the request doesn't have a valid IP address in the specified position.<br>      Possible values: `MATCH`, `NO_MATCH`<br>    header\_name:<br>      The name of the HTTP header to use for the IP address.<br>    position:<br>      Position in the header to search for the IP address.<br>      <br>  scope\_down\_statement:<br>    Narrows the scope of the rate-based statement to matching web requests.<br>    For more information, see: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl.html#scope_down_statement<br>    byte\_match\_statement:<br>      positional\_constraint:<br>      Area within the portion of a web request that you want AWS WAF to search for search\_string. Valid values include the following: EXACTLY, STARTS\_WITH, ENDS\_WITH, CONTAINS, CONTAINS\_WORD.<br>    search\_string<br>      String value that you want AWS WAF to search for. AWS WAF searches only in the part of web requests that you designate for inspection in field\_to\_match.<br>    field\_to\_match:<br>      The part of a web request that you want AWS WAF to inspect.<br>      See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#field-to-match<br>    text\_transformation:<br>      Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.<br>      See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#text-transformation<br><br>visibility\_config:<br>  Defines and enables Amazon CloudWatch metrics and web request sample collection.<br><br>  cloudwatch\_metrics\_enabled:<br>    Whether the associated resource sends metrics to CloudWatch.<br>  metric\_name:<br>    A friendly name of the CloudWatch metric.<br>  sampled\_requests\_enabled:<br>    Whether AWS WAF should store a sampling of the web requests that match the rules. | <pre>list(object({<br>    name     = string<br>    priority = number<br>    action   = string<br>    captcha_config = optional(object({<br>      immunity_time_property = object({<br>        immunity_time = number<br>      })<br>    }), null)<br>    rule_label = optional(list(string), null)<br>    statement  = any<br>    visibility_config = optional(object({<br>      cloudwatch_metrics_enabled = optional(bool)<br>      metric_name                = string<br>      sampled_requests_enabled   = optional(bool)<br>    }), null)<br>  }))</pre> | `null` | no |
 | <a name="input_redacted_fields"></a> [redacted\_fields](#input\_redacted\_fields) | The parts of the request that you want to keep out of the logs.<br>You can only specify one of the following: `method`, `query_string`, `single_header`, or `uri_path`<br><br>method:<br>  Whether to enable redaction of the HTTP method.<br>  The method indicates the type of operation that the request is asking the origin to perform.<br>uri\_path:<br>  Whether to enable redaction of the URI path.<br>  This is the part of a web request that identifies a resource.<br>query\_string:<br>  Whether to enable redaction of the query string.<br>  This is the part of a URL that appears after a `?` character, if any.<br>single\_header:<br>  The list of names of the query headers to redact. | <pre>map(object({<br>    method        = optional(bool, false)<br>    uri_path      = optional(bool, false)<br>    query_string  = optional(bool, false)<br>    single_header = optional(list(string), null)<br>  }))</pre> | `{}` | no |
 | <a name="input_regex_match_statement_rules"></a> [regex\_match\_statement\_rules](#input\_regex\_match\_statement\_rules) | A rule statement used to search web request components for a match against a single regular expression.<br><br>action:<br>  The action that AWS WAF should take on a web request when it matches the rule's statement.<br>name:<br>  A friendly name of the rule.<br>priority:<br>  If you define more than one Rule in a WebACL,<br>  AWS WAF evaluates each request against the rules in order based on the value of priority.<br>  AWS WAF processes rules with lower priority first.<br><br>captcha\_config:<br> Specifies how AWS WAF should handle CAPTCHA evaluations.<br><br> immunity\_time\_property:<br>   Defines custom immunity time.<br><br>   immunity\_time:<br>   The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.<br><br>rule\_label:<br>   A List of labels to apply to web requests that match the rule match statement<br><br>statement:<br>  regex\_string:<br>     String representing the regular expression. Minimum of 1 and maximum of 512 characters.<br>  field\_to\_match:<br>    The part of a web request that you want AWS WAF to inspect.<br>    See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl.html#field_to_match<br>  text\_transformation:<br>    Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one required.<br>    See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#text-transformation<br><br>visibility\_config:<br>  Defines and enables Amazon CloudWatch metrics and web request sample collection.<br><br>  cloudwatch\_metrics\_enabled:<br>    Whether the associated resource sends metrics to CloudWatch.<br>  metric\_name:<br>    A friendly name of the CloudWatch metric.<br>  sampled\_requests\_enabled:<br>    Whether AWS WAF should store a sampling of the web requests that match the rules. | <pre>list(object({<br>    name     = string<br>    priority = number<br>    action   = string<br>    captcha_config = optional(object({<br>      immunity_time_property = object({<br>        immunity_time = number<br>      })<br>    }), null)<br>    rule_label = optional(list(string), null)<br>    statement  = any<br>    visibility_config = optional(object({<br>      cloudwatch_metrics_enabled = optional(bool)<br>      metric_name                = string<br>      sampled_requests_enabled   = optional(bool)<br>    }), null)<br>  }))</pre> | `null` | no |
 | <a name="input_regex_pattern_set_reference_statement_rules"></a> [regex\_pattern\_set\_reference\_statement\_rules](#input\_regex\_pattern\_set\_reference\_statement\_rules) | A rule statement used to search web request components for matches with regular expressions.<br><br>action:<br>  The action that AWS WAF should take on a web request when it matches the rule's statement.<br>name:<br>  A friendly name of the rule.<br>priority:<br>  If you define more than one Rule in a WebACL,<br>  AWS WAF evaluates each request against the rules in order based on the value of priority.<br>  AWS WAF processes rules with lower priority first.<br><br>captcha\_config:<br> Specifies how AWS WAF should handle CAPTCHA evaluations.<br><br> immunity\_time\_property:<br>   Defines custom immunity time.<br><br>   immunity\_time:<br>   The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.<br><br>rule\_label:<br>   A List of labels to apply to web requests that match the rule match statement<br><br>statement:<br>  arn:<br>     The Amazon Resource Name (ARN) of the Regex Pattern Set that this statement references.<br>  field\_to\_match:<br>    The part of a web request that you want AWS WAF to inspect.<br>    See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#field-to-match<br>  text\_transformation:<br>    Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.<br>    See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#text-transformation<br><br>visibility\_config:<br>  Defines and enables Amazon CloudWatch metrics and web request sample collection.<br><br>  cloudwatch\_metrics\_enabled:<br>    Whether the associated resource sends metrics to CloudWatch.<br>  metric\_name:<br>    A friendly name of the CloudWatch metric.<br>  sampled\_requests\_enabled:<br>    Whether AWS WAF should store a sampling of the web requests that match the rules. | <pre>list(object({<br>    name     = string<br>    priority = number<br>    action   = string<br>    captcha_config = optional(object({<br>      immunity_time_property = object({<br>        immunity_time = number<br>      })<br>    }), null)<br>    rule_label = optional(list(string), null)<br>    statement  = any<br>    visibility_config = optional(object({<br>      cloudwatch_metrics_enabled = optional(bool)<br>      metric_name                = string<br>      sampled_requests_enabled   = optional(bool)<br>    }), null)<br>  }))</pre> | `null` | no |