Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Create custom rules #101

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 44 additions & 0 deletions examples/complete/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -151,6 +151,50 @@ module "waf" {
}
]

# Example from https://docs.aws.amazon.com/waf/latest/developerguide/waf-bot-control-example-user-agent-exception.html
custom_rules = [
{
name = "user_agent_match_rule"
priority = 1000
action = "block"

and_statement = [
{
type = "LabelMatchStatement"
statement = {
key = "awswaf:managed:aws:bot-control:signal:non-browser-user-agent"
scope = "LABEL"
}
},
{
type = "NotStatement"
statement = {
type = "ByteMatchStatement"
field_to_match = {
single_header = {
name = "user-agent"
}
}
positional_constraint = "EXACTLY"
search_string = "PostmanRuntime/7.29.2"
text_transformation = [
{
priority = 0
type = "NONE"
}
]
}
}
]

visibility_config = {
cloudwatch_metrics_enabled = true
sampled_requests_enabled = true
metric_name = "user_agent_match_rule"
}
}
]

rate_based_statement_rules = [
{
name = "rule-40"
Expand Down
145 changes: 145 additions & 0 deletions rules.tf
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,11 @@ locals {
) => rule
} : {}

custom_rules = local.enabled && var.custom_rules != null ? {
for rule in flatten(var.custom_rules) :
lookup(rule, "name", null) != null ? rule.name : format("%s-custom-rule-%d", module.this.id, rule.priority) => rule
} : {}

geo_allowlist_statement_rules = local.enabled && var.geo_allowlist_statement_rules != null ? {
for rule in flatten(var.geo_allowlist_statement_rules) :
format("%s-%s",
Expand Down Expand Up @@ -266,6 +271,146 @@ resource "aws_wafv2_web_acl" "default" {
}
}

dynamic "rule" {
for_each = local.custom_rules

content {
name = rule.value.name
priority = rule.value.priority

action {
dynamic "block" {
for_each = rule.value.action == "block" ? [1] : []
content {}
}
dynamic "count" {
for_each = rule.value.action == "count" ? [1] : []
content {}
}
}

statement {
dynamic "and_statement" {
for_each = lookup(rule.value, "and_statement", null) != null ? [rule.value.and_statement] : []

content {
statement {
dynamic "label_match_statement" {
for_each = [for item in and_statement.value : item.statement if lookup(item, "type", null) == "LabelMatchStatement"]

content {
key = label_match_statement.value.key
scope = label_match_statement.value.scope
}
}
}

statement {
dynamic "not_statement" {
for_each = [for item in and_statement.value : item.statement if lookup(item, "type", null) == "NotStatement"]

content {
statement {
dynamic "byte_match_statement" {
for_each = lookup(not_statement.value, "type", null) == "ByteMatchStatement" ? [not_statement.value] : []

content {
positional_constraint = byte_match_statement.value.positional_constraint
search_string = byte_match_statement.value.search_string

dynamic "field_to_match" {
for_each = lookup(byte_match_statement.value, "field_to_match", null) != null ? [byte_match_statement.value.field_to_match] : []

content {
dynamic "all_query_arguments" {
for_each = lookup(field_to_match.value, "all_query_arguments", null) != null ? [1] : []

content {}
}

dynamic "body" {
for_each = lookup(field_to_match.value, "body", null) != null ? [1] : []

content {}
}

dynamic "method" {
for_each = lookup(field_to_match.value, "method", null) != null ? [1] : []

content {}
}

dynamic "query_string" {
for_each = lookup(field_to_match.value, "query_string", null) != null ? [1] : []

content {}
}

dynamic "single_header" {
for_each = lookup(field_to_match.value, "single_header", null) != null ? [field_to_match.value.single_header] : []

content {
name = single_header.value.name
}
}

dynamic "single_query_argument" {
for_each = lookup(field_to_match.value, "single_query_argument", null) != null ? [field_to_match.value.single_query_argument] : []

content {
name = single_query_argument.value.name
}
}

dynamic "uri_path" {
for_each = lookup(field_to_match.value, "uri_path", null) != null ? [1] : []

content {}
}
}
}

dynamic "text_transformation" {
for_each = lookup(byte_match_statement.value, "text_transformation", null) != null ? [
for rule in lookup(byte_match_statement.value, "text_transformation") : {
priority = rule.priority
type = rule.type
}] : []

content {
priority = text_transformation.value.priority
type = text_transformation.value.type
}
}
}
}
}
}
}
}
}
}
}

dynamic "visibility_config" {
for_each = lookup(rule.value, "visibility_config", null) != null ? [rule.value.visibility_config] : []

content {
cloudwatch_metrics_enabled = lookup(visibility_config.value, "cloudwatch_metrics_enabled", true)
metric_name = visibility_config.value.metric_name
sampled_requests_enabled = lookup(visibility_config.value, "sampled_requests_enabled", true)
}
}

dynamic "rule_label" {
for_each = lookup(rule.value, "rule_label", null) != null ? rule.value.rule_label : []
content {
name = rule_label.value
}
}
}
}

dynamic "rule" {
for_each = local.geo_allowlist_statement_rules

Expand Down
47 changes: 46 additions & 1 deletion variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -150,6 +150,51 @@ variable "byte_match_statement_rules" {
DOC
}

variable "custom_rules" {
type = list(object({
name = string
priority = number
action = string
rule_label = optional(list(string), null)
and_statement = optional(any)
visibility_config = optional(object({
cloudwatch_metrics_enabled = optional(bool)
metric_name = string
sampled_requests_enabled = optional(bool)
}), null)
}))
default = null
description = <<-DOC
A rule statement that defines a custom rule for AWS WAF to apply to web requests.

action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.

rule_label:
A List of labels to apply to web requests that match the rule match statement

and_statement:
A logical rule statement used to combine other rule statements with AND logic.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#and-statement

visibility_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.

cloudwatch_metrics_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric_name:
A friendly name of the CloudWatch metric.
sampled_requests_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules.
DOC
}

variable "geo_allowlist_statement_rules" {
type = list(object({
name = string
Expand Down Expand Up @@ -580,7 +625,7 @@ variable "rate_based_statement_rules" {
field_to_match:
Part of a web request that you want AWS WAF to inspect.
positional_constraint:
Area within the portion of a web request that you want AWS WAF to search for search_string.
Area within the portion of a web request that you want AWS WAF to search for search_string.
Valid values include the following: `EXACTLY`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CONTAINS_WORD`.
search_string:
String value that you want AWS WAF to search for.
Expand Down