v1.7.2
·
10 commits
to refs/heads/main
since this release
π Enhancements
Fix `scope_down_statement` Rules @RoseSecurity (#90)
## what- Fix
text_transformationerrors by fixing dynamic references - Update documentation and variable to support more complex structure
- Provide a parameter for an evaluation_window_sec, which is the amount of time, in seconds, that AWS WAF should include in its request counts, looking back from the current time.
- Update examples with
scope_down_statementrules to ensure test coverage
Rate Limit Rule Example
why
- Enhance the reliability, functionality, and features of the
wafmodule
testing
Utilized the following example Atmos component:
rate_based_statement_rules:
- name: "scoped-rate-limit"
action: "block"
priority: 10
statement:
limit: 1000
aggregate_key_type: "IP"
evaluation_window_sec: 300
scope_down_statement:
byte_match_statement:
field_to_match:
uri_path: true
positional_constraint: "STARTS_WITH"
search_string: "/test"
text_transformation:
- priority: 0
type: "NONE"Which resulted in the following Terraform plan and apply:
+ rule {
+ name = "scoped-rate-limit"
+ priority = 10
+ action {
+ block {
}
}
+ statement {
+ rate_based_statement {
+ aggregate_key_type = "IP"
+ evaluation_window_sec = 300
+ limit = 1000
+ scope_down_statement {
+ byte_match_statement {
+ positional_constraint = "STARTS_WITH"
+ search_string = "/test"
+ field_to_match {
+ uri_path {}
}
+ text_transformation {
+ priority = 0
+ type = "NONE"
}
}
}
}
}And Terratest output:
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66: + statement {
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66: + rate_based_statement {
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66: + aggregate_key_type = "IP"
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66: + evaluation_window_sec = 300
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66: + limit = 100
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66:
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66: + scope_down_statement {
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66: + byte_match_statement {
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66: + positional_constraint = "STARTS_WITH"
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66: + search_string = "example-scope-down-statement"
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66:
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66: + field_to_match {
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66: + uri_path {}
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66: }
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66:
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66: + text_transformation {
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66: + priority = 40
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66: + type = "NONE"
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66: }
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66: }
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66: }
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66: }
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66: }references
π€ Automatic Updates
Contributors
osterman and RoseSecurity