Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature Request: WAFv2 Web ACL Resource #11176

Closed
bflad opened this issue Dec 6, 2019 · 11 comments · Fixed by #12688
Closed

Feature Request: WAFv2 Web ACL Resource #11176

bflad opened this issue Dec 6, 2019 · 11 comments · Fixed by #12688
Assignees
Labels
new-resource Introduces a new resource. service/wafv2 Issues and PRs that pertain to the wafv2 service.
Milestone

Comments

@bflad
Copy link
Contributor

bflad commented Dec 6, 2019

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

In November 2019, AWS released a new version of the WAF API, WAFv2, which offers improved functionality over the previous WAF API ("WAF Classic") such as Managed Rules and WAF Capacity Units. This new API requires separate Terraform resource implementations from the previous resource implementations.

New or Affected Resource(s)

  • aws_wafv2_web_acl

Potential Terraform Configuration

resource "aws_wafv2_web_acl" "example" {
  default_action {
    allow {}
    block {}
  }

  description = ""
  name        = ""
  scope       = ""
  tags        = {}

  rule {
    action {
      # The below shows the current API structure, which means there may be intention to include
      # additional settings with each action type in the future
      # Purposefully empty configuration blocks are awkward in Terraform configurations and the Plugin SDK though, so we may want to shy away from the pure API schema mapping here if they cause any trouble
      allow {}
      block {}
      count {}
    }

    name = ""
    
    override_action {
      count {}
      none {}
    }

    priority = 1

    # these are not fully shown and appear to be recursive in some cases    
    statement {
      and_statement {
        statement {}
        statement {}
      }

      byte_match_statement {
        field_to_match {
          all_query_arguments {}
          body {}
          method {}
          query_string {}
          single_header {
            name = ""
          }
          single_query_argument {
            name = ""
          }
          uri_path {}
        }

        positional_constraint = ""
        search_string = ""

        text_transformation {
          priority = 1
          type = ""
        }
      }

      geo_match_statement {
        country_codes = []
      }

      ip_set_reference_statement {
        arn = ""
      }

      managed_rule_group_statement {
        excluded_rule {
          name = ""
        }

        name = ""
        vendor_name = ""
      }

      not_statement {
        statement {}
      }

      or_statement {
        statement {}
        statement {}
      }

      rate_based_statement {
        aggregate_key_type = ""
        limit = 100

        scope_down_statement {}
      }

      regex_pattern_set_reference_statement {
        arn = ""

        field_to_match {} # see above
        text_transformation {} # see above
      }

      rule_group_reference_statement {
        arn = ""

        excluded_rule {
          name = ""
        }
      }

      size_constraint_statement {
        comparison_operator = ""

        field_to_match {} # see above

        size = 1

        text_transformation {} # see above
      }

      sqli_match_statement {
        field_to_match {} # see above

        text_transformation {} # see above
      }

      xss_match_statement {
        field_to_match {} # see above

        text_transformation {} # see above
      }
    }
  }

  visibility_config {
    cloudwatch_metrics_enabled = true
    metric_name = ""
    sampled_requests_enabled = true
  }
}

References

@bflad bflad added new-resource Introduces a new resource. service/wafv2 Issues and PRs that pertain to the wafv2 service. labels Dec 6, 2019
@github-actions github-actions bot added the needs-triage Waiting for first response or review from a maintainer. label Dec 6, 2019
@bflad bflad removed the needs-triage Waiting for first response or review from a maintainer. label Dec 6, 2019
@bflad bflad changed the title Feature Request: WAFv2 Web ACL Feature Request: WAFv2 Web ACL Resource Dec 6, 2019
@tobypinder
Copy link
Contributor

Will this encompass the "wafregional" equivalent here or is there a unified schema in V2 for both types?

@ewbankkit
Copy link
Contributor

@tobypinder WAFv2 does include the classic/legacy WAF Regional functionality: https://docs.aws.amazon.com/waf/latest/APIReference/API_Operations.html.

@rsclarke-vgw
Copy link

To add, the proposed terraform configuration should also take into account the PutLoggingConfiguration for the Web ACL, similar to WAF Classic aws_waf_web_acl.

@wicked-rides
Copy link

Is there a link for the updated v2 documentation?

Thank You,

@briensherman
Copy link

Is there any update on when this feature might be implemented and available for use via Terraform? Additionally need to be able to use the AWS managed rule groups with regional WAFv2 web ACLs, and configure the CloudWatch metrics, etc... with the WAFv2 web ACLs.

@shadbi
Copy link

shadbi commented Mar 27, 2020

Is there any update on when this feature ( WAF v2 ), might be implemented and available for use via Terraform? for the moment i don't find any ressource or terraform documentation about it.
thanks

@pvanbuijtene
Copy link
Contributor

pvanbuijtene commented Mar 30, 2020

@briensherman @shadbi I'm currently busy implementing the resources, already did #12119 #12284 and I'm now busy with wafv2_rule_group. I'm at about 80% and will start with this one once finished.

@anGie44
Copy link
Contributor

anGie44 commented Jun 12, 2020

This feature has been merged and will release with v2.67.0 of the Terraform AWS Provider, expected next week.

@ghost
Copy link

ghost commented Jun 19, 2020

This has been released in version 2.67.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

@itsSaad
Copy link

itsSaad commented Jun 19, 2020

@anGie44 Did we miss the PutLoggingConfiguration for some reason or was it not part of the scope for this resource or should we expect a new resource for it to match the API behaviour? Any timelines for it?

@ghost
Copy link

ghost commented Jul 13, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Jul 13, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
new-resource Introduces a new resource. service/wafv2 Issues and PRs that pertain to the wafv2 service.
Projects
None yet
Development

Successfully merging a pull request may close this issue.