Merge pull request #116 from trussworks/remove-unsupported-blocks

remove dynamic excluded rule blocks. no longer supported in aws provi…

README.md

@@ -127,12 +127,12 @@ No modules.
 | default\_action | The action to perform if none of the rules contained in the WebACL match. | `string` | `"allow"` | no |
 | enable\_logging | Whether to associate Logging resource with the WAFv2 ACL. | `bool` | `false` | no |
 | filtered\_header\_rule | HTTP header to filter . Currently supports a single header type and multiple header values. | ```object({ header_types = list(string) priority = number header_value = string action = string search_string = string })``` | ```{ "action": "block", "header_types": [], "header_value": "", "priority": 1, "search_string": "" }``` | no |
-| group\_rules | List of WAFv2 Rule Groups. | ```list(object({ name = string arn = string priority = number override_action = string excluded_rules = list(string) }))``` | `[]` | no |
+| group\_rules | List of WAFv2 Rule Groups. | ```list(object({ name = string arn = string priority = number override_action = string }))``` | `[]` | no |
 | ip\_rate\_based\_rule | A rate-based rule tracks the rate of requests for each originating IP address, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span | ```object({ name = string priority = number limit = number action = string response_code = optional(number, 403) })``` | `null` | no |
 | ip\_rate\_url\_based\_rules | A rate and url based rules tracks the rate of requests for each originating IP address, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span | ```list(object({ name = string priority = number limit = number action = string response_code = optional(number, 403) search_string = string positional_constraint = string }))``` | `[]` | no |
 | ip\_sets\_rule | A rule to detect web requests coming from particular IP addresses or address ranges. | ```list(object({ name = string priority = number ip_set_arn = string action = string response_code = optional(number, 403) }))``` | `[]` | no |
 | log\_destination\_arns | The Amazon Kinesis Data Firehose, Cloudwatch Log log group, or S3 bucket Amazon Resource Names (ARNs) that you want to associate with the web ACL. | `list(string)` | `[]` | no |
-| managed\_rules | List of Managed WAF rules. | ```list(object({ name = string priority = number override_action = string excluded_rules = list(string) vendor_name = string version = optional(string) rule_action_override = list(object({ name = string action_to_use = string })) }))``` | ```[ { "excluded_rules": [], "name": "AWSManagedRulesCommonRuleSet", "override_action": "none", "priority": 10, "rule_action_override": [], "vendor_name": "AWS" }, { "excluded_rules": [], "name": "AWSManagedRulesAmazonIpReputationList", "override_action": "none", "priority": 20, "rule_action_override": [], "vendor_name": "AWS" }, { "excluded_rules": [], "name": "AWSManagedRulesKnownBadInputsRuleSet", "override_action": "none", "priority": 30, "rule_action_override": [], "vendor_name": "AWS" }, { "excluded_rules": [], "name": "AWSManagedRulesSQLiRuleSet", "override_action": "none", "priority": 40, "rule_action_override": [], "vendor_name": "AWS" }, { "excluded_rules": [], "name": "AWSManagedRulesLinuxRuleSet", "override_action": "none", "priority": 50, "rule_action_override": [], "vendor_name": "AWS" }, { "excluded_rules": [], "name": "AWSManagedRulesUnixRuleSet", "override_action": "none", "priority": 60, "rule_action_override": [], "vendor_name": "AWS" } ]``` | no |
+| managed\_rules | List of Managed WAF rules. | ```list(object({ name = string priority = number override_action = string vendor_name = string version = optional(string) rule_action_override = list(object({ name = string action_to_use = string })) }))``` | ```[ { "name": "AWSManagedRulesCommonRuleSet", "override_action": "none", "priority": 10, "rule_action_override": [], "vendor_name": "AWS" }, { "name": "AWSManagedRulesAmazonIpReputationList", "override_action": "none", "priority": 20, "rule_action_override": [], "vendor_name": "AWS" }, { "name": "AWSManagedRulesKnownBadInputsRuleSet", "override_action": "none", "priority": 30, "rule_action_override": [], "vendor_name": "AWS" }, { "name": "AWSManagedRulesSQLiRuleSet", "override_action": "none", "priority": 40, "rule_action_override": [], "vendor_name": "AWS" }, { "name": "AWSManagedRulesLinuxRuleSet", "override_action": "none", "priority": 50, "rule_action_override": [], "vendor_name": "AWS" }, { "name": "AWSManagedRulesUnixRuleSet", "override_action": "none", "priority": 60, "rule_action_override": [], "vendor_name": "AWS" } ]``` | no |
 | name | A friendly name of the WebACL. | `string` | n/a | yes |
 | scope | The scope of this Web ACL. Valid options: CLOUDFRONT, REGIONAL. | `string` | n/a | yes |
 | tags | A mapping of tags to assign to the WAFv2 ACL. | `map(string)` | `{}` | no |

examples/alb/main.tf

@@ -28,9 +28,9 @@ module "wafv2" {
   associate_alb = true
   alb_arn       = aws_lb.alb.arn
   managed_rules = [
-    { "excluded_rules" : [], "name" : "AWSManagedRulesAmazonIpReputationList", "override_action" : "none", "priority" : 1, "vendor_name" : "AWS", "rule_action_override" : [] },
-    { "excluded_rules" : [], "name" : "AWSManagedRulesCommonRuleSet", "override_action" : "none", "priority" : 2, "vendor_name" : "AWS", "rule_action_override" : [{ "name" = "SizeRestrictions_BODY", "action_to_use" = "allow" }] },
-    { "excluded_rules" : [], "name" : "AWSManagedRulesSQLiRuleSet", "override_action" : "none", "priority" : 3, "vendor_name" : "AWS", "rule_action_override" : [] }
+    { "name" : "AWSManagedRulesAmazonIpReputationList", "override_action" : "none", "priority" : 1, "vendor_name" : "AWS", "rule_action_override" : [] },
+    { "name" : "AWSManagedRulesCommonRuleSet", "override_action" : "none", "priority" : 2, "vendor_name" : "AWS", "rule_action_override" : [{ "name" = "SizeRestrictions_BODY", "action_to_use" = "allow" }] },
+    { "name" : "AWSManagedRulesSQLiRuleSet", "override_action" : "none", "priority" : 3, "vendor_name" : "AWS", "rule_action_override" : [] }
   ]
   filtered_header_rule = {
     header_types = [
@@ -85,7 +85,6 @@ module "wafv2" {
 
   group_rules = [
     {
-      excluded_rules : [],
       name : aws_wafv2_rule_group.block_countries.name,
       arn : aws_wafv2_rule_group.block_countries.arn,
       override_action : "none",

main.tf

@@ -44,12 +44,6 @@ resource "aws_wafv2_web_acl" "main" {
           name        = rule.value.name
           vendor_name = rule.value.vendor_name
           version     = rule.value.version
-          dynamic "excluded_rule" {
-            for_each = rule.value.excluded_rules
-            content {
-              name = excluded_rule.value
-            }
-          }
           dynamic "rule_action_override" {
             for_each = rule.value.rule_action_override
             content {
@@ -297,13 +291,6 @@ resource "aws_wafv2_web_acl" "main" {
       statement {
         rule_group_reference_statement {
           arn = rule.value.arn
-
-          dynamic "excluded_rule" {
-            for_each = rule.value.excluded_rules
-            content {
-              name = excluded_rule.value
-            }
-          }
         }
       }
 

variables.tf

@@ -13,7 +13,6 @@ variable "managed_rules" {
     name            = string
     priority        = number
     override_action = string
-    excluded_rules  = list(string)
     vendor_name     = string
     version         = optional(string)
     rule_action_override = list(object({
@@ -27,47 +26,41 @@ variable "managed_rules" {
       name                 = "AWSManagedRulesCommonRuleSet",
       priority             = 10
       override_action      = "none"
-      excluded_rules       = []
       vendor_name          = "AWS"
       rule_action_override = []
     },
     {
       name                 = "AWSManagedRulesAmazonIpReputationList",
       priority             = 20
       override_action      = "none"
-      excluded_rules       = []
       vendor_name          = "AWS"
       rule_action_override = []
     },
     {
       name                 = "AWSManagedRulesKnownBadInputsRuleSet",
       priority             = 30
       override_action      = "none"
-      excluded_rules       = []
       vendor_name          = "AWS"
       rule_action_override = []
     },
     {
       name                 = "AWSManagedRulesSQLiRuleSet",
       priority             = 40
       override_action      = "none"
-      excluded_rules       = []
       vendor_name          = "AWS"
       rule_action_override = []
     },
     {
       name                 = "AWSManagedRulesLinuxRuleSet",
       priority             = 50
       override_action      = "none"
-      excluded_rules       = []
       vendor_name          = "AWS"
       rule_action_override = []
     },
     {
       name                 = "AWSManagedRulesUnixRuleSet",
       priority             = 60
       override_action      = "none"
-      excluded_rules       = []
       vendor_name          = "AWS"
       rule_action_override = []
     }
@@ -166,7 +159,6 @@ variable "group_rules" {
     arn             = string
     priority        = number
     override_action = string
-    excluded_rules  = list(string)
   }))
   description = "List of WAFv2 Rule Groups."
   default     = []