Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

remove dynamic excluded rule blocks. no longer supported in aws provi… #116

Merged
merged 2 commits into from
Jun 2, 2023
Merged

remove dynamic excluded rule blocks. no longer supported in aws provi… #116

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
607c8bb
remove dynamic excluded rule blocks. no longer supported in aws provi…
chtakahashi Jun 2, 2023
54a2846
remove all references to excluded_rules, a deprecated argument
chtakahashi Jun 2, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -127,12 +127,12 @@ No modules.
| default\_action | The action to perform if none of the rules contained in the WebACL match. | `string` | `"allow"` | no |
| enable\_logging | Whether to associate Logging resource with the WAFv2 ACL. | `bool` | `false` | no |
| filtered\_header\_rule | HTTP header to filter . Currently supports a single header type and multiple header values. | ```object({ header_types = list(string) priority = number header_value = string action = string search_string = string })``` | ```{ "action": "block", "header_types": [], "header_value": "", "priority": 1, "search_string": "" }``` | no |
| group\_rules | List of WAFv2 Rule Groups. | ```list(object({ name = string arn = string priority = number override_action = string excluded_rules = list(string) }))``` | `[]` | no |
| group\_rules | List of WAFv2 Rule Groups. | ```list(object({ name = string arn = string priority = number override_action = string }))``` | `[]` | no |
| ip\_rate\_based\_rule | A rate-based rule tracks the rate of requests for each originating IP address, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span | ```object({ name = string priority = number limit = number action = string response_code = optional(number, 403) })``` | `null` | no |
| ip\_rate\_url\_based\_rules | A rate and url based rules tracks the rate of requests for each originating IP address, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span | ```list(object({ name = string priority = number limit = number action = string response_code = optional(number, 403) search_string = string positional_constraint = string }))``` | `[]` | no |
| ip\_sets\_rule | A rule to detect web requests coming from particular IP addresses or address ranges. | ```list(object({ name = string priority = number ip_set_arn = string action = string response_code = optional(number, 403) }))``` | `[]` | no |
| log\_destination\_arns | The Amazon Kinesis Data Firehose, Cloudwatch Log log group, or S3 bucket Amazon Resource Names (ARNs) that you want to associate with the web ACL. | `list(string)` | `[]` | no |
| managed\_rules | List of Managed WAF rules. | ```list(object({ name = string priority = number override_action = string excluded_rules = list(string) vendor_name = string version = optional(string) rule_action_override = list(object({ name = string action_to_use = string })) }))``` | ```[ { "excluded_rules": [], "name": "AWSManagedRulesCommonRuleSet", "override_action": "none", "priority": 10, "rule_action_override": [], "vendor_name": "AWS" }, { "excluded_rules": [], "name": "AWSManagedRulesAmazonIpReputationList", "override_action": "none", "priority": 20, "rule_action_override": [], "vendor_name": "AWS" }, { "excluded_rules": [], "name": "AWSManagedRulesKnownBadInputsRuleSet", "override_action": "none", "priority": 30, "rule_action_override": [], "vendor_name": "AWS" }, { "excluded_rules": [], "name": "AWSManagedRulesSQLiRuleSet", "override_action": "none", "priority": 40, "rule_action_override": [], "vendor_name": "AWS" }, { "excluded_rules": [], "name": "AWSManagedRulesLinuxRuleSet", "override_action": "none", "priority": 50, "rule_action_override": [], "vendor_name": "AWS" }, { "excluded_rules": [], "name": "AWSManagedRulesUnixRuleSet", "override_action": "none", "priority": 60, "rule_action_override": [], "vendor_name": "AWS" } ]``` | no |
| managed\_rules | List of Managed WAF rules. | ```list(object({ name = string priority = number override_action = string vendor_name = string version = optional(string) rule_action_override = list(object({ name = string action_to_use = string })) }))``` | ```[ { "name": "AWSManagedRulesCommonRuleSet", "override_action": "none", "priority": 10, "rule_action_override": [], "vendor_name": "AWS" }, { "name": "AWSManagedRulesAmazonIpReputationList", "override_action": "none", "priority": 20, "rule_action_override": [], "vendor_name": "AWS" }, { "name": "AWSManagedRulesKnownBadInputsRuleSet", "override_action": "none", "priority": 30, "rule_action_override": [], "vendor_name": "AWS" }, { "name": "AWSManagedRulesSQLiRuleSet", "override_action": "none", "priority": 40, "rule_action_override": [], "vendor_name": "AWS" }, { "name": "AWSManagedRulesLinuxRuleSet", "override_action": "none", "priority": 50, "rule_action_override": [], "vendor_name": "AWS" }, { "name": "AWSManagedRulesUnixRuleSet", "override_action": "none", "priority": 60, "rule_action_override": [], "vendor_name": "AWS" } ]``` | no |
| name | A friendly name of the WebACL. | `string` | n/a | yes |
| scope | The scope of this Web ACL. Valid options: CLOUDFRONT, REGIONAL. | `string` | n/a | yes |
| tags | A mapping of tags to assign to the WAFv2 ACL. | `map(string)` | `{}` | no |
Expand Down
7 changes: 3 additions & 4 deletions examples/alb/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,9 +28,9 @@ module "wafv2" {
associate_alb = true
alb_arn = aws_lb.alb.arn
managed_rules = [
{ "excluded_rules" : [], "name" : "AWSManagedRulesAmazonIpReputationList", "override_action" : "none", "priority" : 1, "vendor_name" : "AWS", "rule_action_override" : [] },
{ "excluded_rules" : [], "name" : "AWSManagedRulesCommonRuleSet", "override_action" : "none", "priority" : 2, "vendor_name" : "AWS", "rule_action_override" : [{ "name" = "SizeRestrictions_BODY", "action_to_use" = "allow" }] },
{ "excluded_rules" : [], "name" : "AWSManagedRulesSQLiRuleSet", "override_action" : "none", "priority" : 3, "vendor_name" : "AWS", "rule_action_override" : [] }
{ "name" : "AWSManagedRulesAmazonIpReputationList", "override_action" : "none", "priority" : 1, "vendor_name" : "AWS", "rule_action_override" : [] },
{ "name" : "AWSManagedRulesCommonRuleSet", "override_action" : "none", "priority" : 2, "vendor_name" : "AWS", "rule_action_override" : [{ "name" = "SizeRestrictions_BODY", "action_to_use" = "allow" }] },
{ "name" : "AWSManagedRulesSQLiRuleSet", "override_action" : "none", "priority" : 3, "vendor_name" : "AWS", "rule_action_override" : [] }
]
filtered_header_rule = {
header_types = [
Expand Down Expand Up @@ -85,7 +85,6 @@ module "wafv2" {

group_rules = [
{
excluded_rules : [],
name : aws_wafv2_rule_group.block_countries.name,
arn : aws_wafv2_rule_group.block_countries.arn,
override_action : "none",
Expand Down
13 changes: 0 additions & 13 deletions main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,12 +44,6 @@ resource "aws_wafv2_web_acl" "main" {
name = rule.value.name
vendor_name = rule.value.vendor_name
version = rule.value.version
dynamic "excluded_rule" {
for_each = rule.value.excluded_rules
content {
name = excluded_rule.value
}
}
dynamic "rule_action_override" {
for_each = rule.value.rule_action_override
content {
Expand Down Expand Up @@ -297,13 +291,6 @@ resource "aws_wafv2_web_acl" "main" {
statement {
rule_group_reference_statement {
arn = rule.value.arn

dynamic "excluded_rule" {
for_each = rule.value.excluded_rules
content {
name = excluded_rule.value
}
}
}
}

Expand Down
8 changes: 0 additions & 8 deletions variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,6 @@ variable "managed_rules" {
name = string
priority = number
override_action = string
excluded_rules = list(string)
vendor_name = string
version = optional(string)
rule_action_override = list(object({
Expand All @@ -27,47 +26,41 @@ variable "managed_rules" {
name = "AWSManagedRulesCommonRuleSet",
priority = 10
override_action = "none"
excluded_rules = []
vendor_name = "AWS"
rule_action_override = []
},
{
name = "AWSManagedRulesAmazonIpReputationList",
priority = 20
override_action = "none"
excluded_rules = []
vendor_name = "AWS"
rule_action_override = []
},
{
name = "AWSManagedRulesKnownBadInputsRuleSet",
priority = 30
override_action = "none"
excluded_rules = []
vendor_name = "AWS"
rule_action_override = []
},
{
name = "AWSManagedRulesSQLiRuleSet",
priority = 40
override_action = "none"
excluded_rules = []
vendor_name = "AWS"
rule_action_override = []
},
{
name = "AWSManagedRulesLinuxRuleSet",
priority = 50
override_action = "none"
excluded_rules = []
vendor_name = "AWS"
rule_action_override = []
},
{
name = "AWSManagedRulesUnixRuleSet",
priority = 60
override_action = "none"
excluded_rules = []
vendor_name = "AWS"
rule_action_override = []
}
Expand Down Expand Up @@ -166,7 +159,6 @@ variable "group_rules" {
arn = string
priority = number
override_action = string
excluded_rules = list(string)
}))
description = "List of WAFv2 Rule Groups."
default = []
Expand Down