diff --git a/aws/waf/README.md b/aws/waf/README.md
index 19bb21e..b5cfc8e 100644
--- a/aws/waf/README.md
+++ b/aws/waf/README.md
@@ -90,7 +90,7 @@ Note: For each rule, if you are providing a country list, you can only specify e
| [allowed\_ip\_list](#input\_allowed\_ip\_list) | List of allowed IP addresses, these IP addresses will be exempted from any configured rules | `list(string)` | `[]` | no |
| [aws\_managed\_rule\_groups](#input\_aws\_managed\_rule\_groups) | Rule statement values used to run the rules that are defined in a managed rule group. You may review this list for the available AWS managed rule groups - https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html | map(object({
name = string # Name of the Managed rule group
priority = number # Relative processing order for rules processed by AWS WAF. All rules are processed from lowest priority to the highest.
count_override = optional(bool, true) # If true, this will override the rule action setting to `count`, if false, the rule action will be set to `block`.
country_list = optional(list(string), []) # List of countries to apply the managed rule to. If populated, from other countries will be ignored by this rule. IF empty, the rule will apply to all traffic. You must either specify country_list or exempt_country_list, but not both.
exempt_country_list = optional(list(string), []) # List of countries to exempt from the managed rule. If populated, the selected countries will be ignored by this rule. IF empty, the rule will apply to all traffic. You must either specify country_list or exempt_country_list, but not both.
})) | n/a | yes |
| [block\_ip\_list](#input\_block\_ip\_list) | List of IP addresses to be blocked and denied access to the ingress / cloudfront. | `list(string)` | `[]` | no |
-| [header\_match\_rules](#input\_header\_match\_rules) | Rule statement to inspect and match the header for an incoming request. | map(object({
name = string # Name of the header match rule group
priority = number # Relative processing order for header match rule relative to other rules processed by AWS WAF.
header_name = string # This is the name of the header to inspect for all incoming requests.
header_value = string # This is the value to look out for a matching header name for all incoming requests
count_override = optional(bool, true) # If true, this will override the rule action setting to `count`, if false, the rule action will be set to `block`. Default value is false.
})) | `null` | no |
+| [header\_match\_rules](#input\_header\_match\_rules) | Rule statement to inspect and match the header for an incoming request. | map(object({
name = string # Name of the header match rule group
priority = number # Relative processing order for header match rule relative to other rules processed by AWS WAF.
header_values = map(object({ # Header values contains a map of headers to inspect. You can provide multiple headers and values, all headers will be inspected together with `AND` logic.
header_name = string # This is the name of the header to inspect for all incoming requests.
header_value = string # This is the value to look out for a matching header name for all incoming requests
not_statement = optional(bool, false) # This indicates if the result this header match should be negated. The negated result will be joined with other header match results using `AND` logic if more than 1 header is provided.
}))
count_override = optional(bool, true) # If true, this will override the rule action setting to `count`, if false, the rule action will be set to `block`. Default value is false.
})) | `null` | no |
| [name](#input\_name) | Friendly name of the WebACL. | `string` | n/a | yes |
| [rate\_limit\_rules](#input\_rate\_limit\_rules) | Rule statement to track and rate limits requests when they are coming at too fast a rate.. For more details, visit - https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html | map(object({
name = string # Name of the Rate limit rule group
priority = number # Relative processing order for rate limit rule relative to other rules processed by AWS WAF.
limit = optional(number, 2000) # This is the limit on requests from any single IP address within a 5 minute period
count_override = optional(bool, false) # If true, this will override the rule action setting to `count`, if false, the rule action will be set to `block`. Default value is false.
country_list = optional(list(string), []) # List of countries to apply the rate limit to. If populated, from other countries will be ignored by this rule. IF empty, the rule will apply to all traffic. You must either specify country_list or exempt_country_list, but not both.
exempt_country_list = optional(list(string), []) # List of countries to exempt from the rate limit. If populated, the selected countries will be ignored by this rule. IF empty, the rule will apply to all traffic. You must either specify country_list or exempt_country_list, but not both.
})) | n/a | yes |
| [resource\_arn](#input\_resource\_arn) | The Amazon Resource Name (ARN) of the resource to associate with the web ACL. This must be an ARN of an Application Load Balancer or an Amazon API Gateway stage. Value is required if scope is REGIONAL | `string` | `null` | no |
@@ -101,4 +101,5 @@ Note: For each rule, if you are providing a country list, you can only specify e
| Name | Description |
|------|-------------|
| [aws\_waf\_arn](#output\_aws\_waf\_arn) | The arn for AWS WAF WebACL. |
+| [waf\_logs\_sns\_topic\_arn](#output\_waf\_logs\_sns\_topic\_arn) | The arn for the SNS topic to receive the AWS WAF logs |
\ No newline at end of file
diff --git a/aws/waf/main.tf b/aws/waf/main.tf
index fcf54bc..9f3b6d7 100644
--- a/aws/waf/main.tf
+++ b/aws/waf/main.tf
@@ -31,21 +31,104 @@ resource "aws_wafv2_web_acl" "main" {
block {}
}
}
- statement {
- byte_match_statement {
- field_to_match {
- single_header {
- name = lower(rule.value["header_name"])
+ dynamic "statement" {
+ for_each = length(rule.value["header_values"]) == 1 ? rule.value["header_values"] : {}
+ content {
+ dynamic "byte_match_statement" {
+ for_each = statement.value["not_statement"] == false ? [1] : []
+ content {
+ field_to_match {
+ single_header {
+ name = lower(statement.value["header_name"])
+ }
+ }
+
+ positional_constraint = "CONTAINS"
+
+ search_string = statement.value["header_value"]
+
+ text_transformation {
+ priority = 1
+ type = "LOWERCASE"
+ }
+ }
+ }
+ dynamic "not_statement" {
+ for_each = statement.value["not_statement"] == true ? [1] : []
+ content {
+ statement {
+ byte_match_statement {
+ field_to_match {
+ single_header {
+ name = lower(statement.value["header_name"])
+ }
+ }
+
+ positional_constraint = "CONTAINS"
+
+ search_string = statement.value["header_value"]
+
+ text_transformation {
+ priority = 1
+ type = "LOWERCASE"
+ }
+ }
+ }
}
}
+ }
+ }
+ dynamic "statement" {
+ for_each = length(rule.value["header_values"]) > 1 ? rule.value["header_values"] : {}
+ content {
+ and_statement {
+ dynamic "statement" {
+ for_each = rule.value["header_values"]
+ content {
+ dynamic "byte_match_statement" {
+ for_each = statement.value["not_statement"] == false ? [1] : []
+ content {
+ field_to_match {
+ single_header {
+ name = lower(statement.value["header_name"])
+ }
+ }
- positional_constraint = "CONTAINS"
+ positional_constraint = "CONTAINS"
- search_string = rule.value["header_value"]
+ search_string = statement.value["header_value"]
- text_transformation {
- priority = 1
- type = "LOWERCASE"
+ text_transformation {
+ priority = 1
+ type = "LOWERCASE"
+ }
+ }
+ }
+ dynamic "not_statement" {
+ for_each = statement.value["not_statement"] == true ? [1] : []
+ content {
+ statement {
+ byte_match_statement {
+ field_to_match {
+ single_header {
+ name = lower(statement.value["header_name"])
+ }
+ }
+
+ positional_constraint = "CONTAINS"
+
+ search_string = statement.value["header_value"]
+
+ text_transformation {
+ priority = 1
+ type = "LOWERCASE"
+ }
+ }
+ }
+ }
+ }
+ }
+ }
}
}
}
diff --git a/aws/waf/outputs.tf b/aws/waf/outputs.tf
index f0a1776..dd7a7cc 100644
--- a/aws/waf/outputs.tf
+++ b/aws/waf/outputs.tf
@@ -2,3 +2,8 @@ output "aws_waf_arn" {
description = "The arn for AWS WAF WebACL."
value = aws_wafv2_web_acl.main.arn
}
+
+output "waf_logs_sns_topic_arn" {
+ description = "The arn for the SNS topic to receive the AWS WAF logs"
+ value = aws_sns_topic.waf_logs_sns_subscription.arn
+}
diff --git a/aws/waf/variables.tf b/aws/waf/variables.tf
index dee871f..69f11f7 100644
--- a/aws/waf/variables.tf
+++ b/aws/waf/variables.tf
@@ -46,10 +46,13 @@ variable "rate_limit_rules" {
variable "header_match_rules" {
description = "Rule statement to inspect and match the header for an incoming request."
type = map(object({
- name = string # Name of the header match rule group
- priority = number # Relative processing order for header match rule relative to other rules processed by AWS WAF.
- header_name = string # This is the name of the header to inspect for all incoming requests.
- header_value = string # This is the value to look out for a matching header name for all incoming requests
+ name = string # Name of the header match rule group
+ priority = number # Relative processing order for header match rule relative to other rules processed by AWS WAF.
+ header_values = map(object({ # Header values contains a map of headers to inspect. You can provide multiple headers and values, all headers will be inspected together with `AND` logic.
+ header_name = string # This is the name of the header to inspect for all incoming requests.
+ header_value = string # This is the value to look out for a matching header name for all incoming requests
+ not_statement = optional(bool, false) # This indicates if the result this header match should be negated. The negated result will be joined with other header match results using `AND` logic if more than 1 header is provided.
+ }))
count_override = optional(bool, true) # If true, this will override the rule action setting to `count`, if false, the rule action will be set to `block`. Default value is false.
}))