Add input variable for rate limit evaluation seconds

thoughtbot · Mar 12, 2024 · a0e75ec · a0e75ec
1 parent 778d3ea
commit a0e75ec
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 8 deletions.
diff --git a/aws/waf/main.tf b/aws/waf/main.tf
@@ -33,8 +33,9 @@ resource "aws_wafv2_web_acl" "main" {
       }
       statement {
         rate_based_statement {
-          limit              = rule.value["limit"]
-          aggregate_key_type = "IP"
+          limit                 = rule.value["limit"]
+          aggregate_key_type    = "IP"
+          evaluation_window_sec = rule.value["evaluation_window_sec"]
 
           dynamic "scope_down_statement" {
             for_each = length(concat(rule.value["country_list"], rule.value["exempt_country_list"])) > 0 ? [1] : []

diff --git a/aws/waf/variables.tf b/aws/waf/variables.tf
@@ -34,12 +34,13 @@ variable "aws_managed_rule_groups" {
 variable "rate_limit_rules" {
   description = "Rule statement to track and rate limits requests when they are coming at too fast a rate.. For more details, visit - https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html"
   type = map(object({
-    name                = string                     # Name of the Rate limit rule group
-    priority            = number                     # Relative processing order for rate limit rule relative to other rules processed by AWS WAF.
-    limit               = optional(number, 2000)     # This is the limit on requests from any single IP address within a 5 minute period
-    count_override      = optional(bool, false)      # If true, this will override the rule action setting to `count`, if false, the rule action will be set to `block`. Default value is false.
-    country_list        = optional(list(string), []) # List of countries to apply the rate limit to. If populated, from other countries will be ignored by this rule. IF empty, the rule will apply to all traffic. You must either specify country_list or exempt_country_list, but not both.
-    exempt_country_list = optional(list(string), []) # List of countries to exempt from the rate limit. If populated, the selected countries will be ignored by this rule. IF empty, the rule will apply to all traffic. You must either specify country_list or exempt_country_list, but not both.
+    name                  = string                     # Name of the Rate limit rule group
+    priority              = number                     # Relative processing order for rate limit rule relative to other rules processed by AWS WAF.
+    limit                 = optional(number, 2000)     # This is the limit on requests from any single IP address within a 5 minute period
+    count_override        = optional(bool, false)      # If true, this will override the rule action setting to `count`, if false, the rule action will be set to `block`. Default value is false.
+    country_list          = optional(list(string), []) # List of countries to apply the rate limit to. If populated, from other countries will be ignored by this rule. IF empty, the rule will apply to all traffic. You must either specify country_list or exempt_country_list, but not both.
+    exempt_country_list   = optional(list(string), []) # List of countries to exempt from the rate limit. If populated, the selected countries will be ignored by this rule. IF empty, the rule will apply to all traffic. You must either specify country_list or exempt_country_list, but not both.
+    evaluation_window_sec = optional(number, 300)      # The amount of time, in seconds, that AWS WAF should include in its request counts, looking back from the current time. Defaults to 300 seconds. Valid values are 60, 120, 300, and 600.
   }))
 }