Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: extend support for rate based statement rules #81

Closed
wants to merge 11 commits into from
Closed

feat: extend support for rate based statement rules #81

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
628f50a
add support for custom response code + scope down statement in rate_b…
GuusDeGraeve May 15, 2024
98cae86
default to null
GuusDeGraeve May 15, 2024
e628f95
support positional_constraint + make byte_match_statement dynamic
GuusDeGraeve May 15, 2024
7fefb7d
support for text transformation
GuusDeGraeve May 15, 2024
b5f561b
add missing statement block
GuusDeGraeve May 15, 2024
c9826d7
fix scope_down_statement
GuusDeGraeve May 21, 2024
77e3585
Merge branch 'main' into main
GuusDeGraeve May 23, 2024
5d869fb
fix linting
GuusDeGraeve May 23, 2024
06baf4c
allow for single byte_match_statement
GuusDeGraeve May 23, 2024
94081ac
Merge branch 'main' into main
aknysh May 30, 2024
bebf6c1
add to variables description
GuusDeGraeve Jun 3, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
103 changes: 100 additions & 3 deletions rules.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -714,7 +714,14 @@ resource "aws_wafv2_web_acl" "default" {
}
dynamic "block" {
for_each = rule.value.action == "block" ? [1] : []
content {}
content {
dynamic "custom_response" {
for_each = rule.value.custom_response_code != null ? [rule.value.custom_response_code] : []
content {
response_code = custom_response.value
}
}
}
}
dynamic "count" {
for_each = rule.value.action == "count" ? [1] : []
Expand All @@ -731,8 +738,98 @@ resource "aws_wafv2_web_acl" "default" {
for_each = lookup(rule.value, "statement", null) != null ? [rule.value.statement] : []

content {
aggregate_key_type = lookup(rate_based_statement.value, "aggregate_key_type", "IP")
limit = rate_based_statement.value.limit
aggregate_key_type = lookup(rate_based_statement.value, "aggregate_key_type", "IP")
limit = rate_based_statement.value.limit
evaluation_window_sec = lookup(rate_based_statement.value, "evaluation_window_sec", 300)

dynamic "scope_down_statement" {
for_each = lookup(rate_based_statement.value, "scope_down_statement", null) != null ? [rate_based_statement.value.scope_down_statement] : []

content {
dynamic "byte_match_statement" {
for_each = lookup(scope_down_statement.value, "byte_match_statement", null) != null ? [scope_down_statement.value.byte_match_statement] : []
content {
search_string = byte_match_statement.value.search_string
positional_constraint = byte_match_statement.value.positional_constraint
field_to_match {
dynamic "uri_path" {
for_each = lookup(byte_match_statement.value, "uri_path", null) != null ? [1] : []
content {}
}
dynamic "single_header" {
for_each = lookup(byte_match_statement.value, "single_header", null) != null ? [byte_match_statement.value.single_header] : []
content {
name = single_header.value
}
}
dynamic "method" {
for_each = lookup(byte_match_statement.value, "method", null) != null ? [1] : []
content {}
}
}
dynamic "text_transformation" {
for_each = lookup(byte_match_statement.value, "text_transformation", [
{
priority = 0
type = "NONE"
}
])

content {
priority = text_transformation.value.priority
type = text_transformation.value.type
}
}
}
}
dynamic "and_statement" {
for_each = length(lookup(scope_down_statement.value, "and", [])) > 0 ? [scope_down_statement.value.and] : []
content {
dynamic "statement" {
for_each = and_statement.value
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@GuusDeGraeve the PR looks good, thank you.

Some questions about this code

 for_each = length(lookup(scope_down_statement.value, "and", [])) > 0 ? [scope_down_statement.value.and] : []
                  content {
                    dynamic "statement" {
                      for_each = and_statement.value

Looks like scope_down_statement.value.and should be a list b/c you check its length.
But then you put it into another list in [scope_down_statement.value.and].
Should it be just ? scope_down_statement.value.and : [] ?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @aknysh, yes that is correct, the reason is because the add statement is a list of multiple statements. Which we loop over within the next dynamic block dynamic "statement" {.

I know it looks quite confusing when reading the code, but it is definitely on purpose.

content {
dynamic "byte_match_statement" {
for_each = lookup(statement.value, "byte_match_statement", null) != null ? [statement.value.byte_match_statement] : []
content {
search_string = byte_match_statement.value.search_string
positional_constraint = byte_match_statement.value.positional_constraint
field_to_match {
dynamic "uri_path" {
for_each = lookup(byte_match_statement.value, "uri_path", null) != null ? [1] : []
content {}
}
dynamic "single_header" {
for_each = lookup(byte_match_statement.value, "single_header", null) != null ? [byte_match_statement.value.single_header] : []
content {
name = single_header.value
}
}
dynamic "method" {
for_each = lookup(byte_match_statement.value, "method", null) != null ? [1] : []
content {}
}
}
dynamic "text_transformation" {
for_each = lookup(byte_match_statement.value, "text_transformation", [
{
priority = 0
type = "NONE"
}
])

content {
priority = text_transformation.value.priority
type = text_transformation.value.type
}
}
}
}
}
}
}
}
}
}

dynamic "forwarded_ip_config" {
for_each = lookup(rate_based_statement.value, "forwarded_ip_config", null) != null ? [rate_based_statement.value.forwarded_ip_config] : []
Expand Down
9 changes: 7 additions & 2 deletions variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -499,8 +499,9 @@ variable "rate_based_statement_rules" {
immunity_time = number
})
}), null)
rule_label = optional(list(string), null)
statement = any
rule_label = optional(list(string), null)
statement = any
custom_response_code = optional(number, null)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be added to the description

visibility_config = optional(object({
cloudwatch_metrics_enabled = optional(bool)
metric_name = string
Expand Down Expand Up @@ -545,6 +546,10 @@ variable "rate_based_statement_rules" {
Possible values: `MATCH`, `NO_MATCH`
header_name:
The name of the HTTP header to use for the IP address.

custom_response_code:
The HTTP status code to return when the request is blocked.
For example, `403`, or more applicable to rate based rules, `429`.

visibility_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.
Expand Down