Feat/waf regex

[omartehsin1]

Summary | Résumé

Added Regex rule to allow specific URI Paths.

[github-actions[bot]]

Production: cloudfront

✅   Terraform Format: success ✅   Terraform Plan: success ✅   Conftest: success

Plan: 1 to add, 1 to change, 0 to destroy

Show plan

```terraform Resource actions are indicated with the following symbols: + create ~ update in-place Terraform will perform the following actions: # aws_wafv2_regex_pattern_set.valid_uri_paths will be created + resource "aws_wafv2_regex_pattern_set" "valid_uri_paths" { + arn = (known after apply) + description = "Regex to match the APIs valid URI paths" + id = (known after apply) + lock_token = (known after apply) + name = "ValidURIPaths" + scope = "CLOUDFRONT" + tags = { + "CostCentre" = "simplify-privacy-statements-production" + "Terraform" = "true" } + tags_all = { + "CostCentre" = "simplify-privacy-statements-production" + "Terraform" = "true" } + regular_expression { + regex_string = "^/(en/agreement-1?lang=fr|fr/agreement-1?lang=en)?$" } + regular_expression { + regex_string = "^/(en/agreement-1|fr/agreement-1)$" } + regular_expression { + regex_string = "^/(en|fr)$" } + regular_expression { + regex_string = "^/access/(agreement-[\\d]{8}.docx)?$" } } # aws_wafv2_web_acl.simplify_privacy_statements_waf will be updated in-place ~ resource "aws_wafv2_web_acl" "simplify_privacy_statements_waf" { id = "9bf34e99-b15f-4f28-9630-812dd5aa0cf9" name = "simplify_privacy_statements_waf" tags = { "CostCentre" = "simplify-privacy-statements-production" "Terraform" = "true" } # (6 unchanged attributes hidden) + rule { + name = "APIInvalidPath" + priority = 5 + action { + block { } } + statement { + not_statement { + statement { + regex_pattern_set_reference_statement { + arn = (known after apply) + field_to_match { + uri_path {} } + text_transformation { + priority = 1 + type = "COMPRESS_WHITE_SPACE" } + text_transformation { + priority = 2 + type = "LOWERCASE" } } } } } + visibility_config { + cloudwatch_metrics_enabled = true + metric_name = "APIInvalidPaths" + sampled_requests_enabled = true } } - rule { - name = "AWSManagedRulesAmazonIpReputationList" -> null - priority = 10 -> null - override_action { - none {} } - statement { - managed_rule_group_statement { - name = "AWSManagedRulesAmazonIpReputationList" -> null - vendor_name = "AWS" -> null } } - visibility_config { - cloudwatch_metrics_enabled = true -> null - metric_name = "AWSManagedRulesAmazonIpReputationList" -> null - sampled_requests_enabled = true -> null } } + rule { + name = "AWSManagedRulesAmazonIpReputationList" + priority = 10 + override_action { + none {} } + statement { + managed_rule_group_statement { + name = "AWSManagedRulesAmazonIpReputationList" + vendor_name = "AWS" } } + visibility_config { + cloudwatch_metrics_enabled = true + metric_name = "AWSManagedRulesAmazonIpReputationList" + sampled_requests_enabled = true } } - rule { - name = "AWSManagedRulesCommonRuleSet" -> null - priority = 30 -> null - override_action { - none {} } - statement { - managed_rule_group_statement { - name = "AWSManagedRulesCommonRuleSet" -> null - vendor_name = "AWS" -> null } } - visibility_config { - cloudwatch_metrics_enabled = true -> null - metric_name = "AWSManagedRulesCommonRuleSet" -> null - sampled_requests_enabled = true -> null } } + rule { + name = "AWSManagedRulesCommonRuleSet" + priority = 30 + override_action { + none {} } + statement { + managed_rule_group_statement { + name = "AWSManagedRulesCommonRuleSet" + vendor_name = "AWS" } } + visibility_config { + cloudwatch_metrics_enabled = true + metric_name = "AWSManagedRulesCommonRuleSet" + sampled_requests_enabled = true } } - rule { - name = "AWSManagedRulesKnownBadInputsRuleSet" -> null - priority = 40 -> null - override_action { - none {} } - statement { - managed_rule_group_statement { - name = "AWSManagedRulesKnownBadInputsRuleSet" -> null - vendor_name = "AWS" -> null } } - visibility_config { - cloudwatch_metrics_enabled = true -> null - metric_name = "AWSManagedRulesKnownBadInputsRuleSet" -> null - sampled_requests_enabled = true -> null } } + rule { + name = "AWSManagedRulesKnownBadInputsRuleSet" + priority = 40 + override_action { + none {} } + statement { + managed_rule_group_statement { + name = "AWSManagedRulesKnownBadInputsRuleSet" + vendor_name = "AWS" } } + visibility_config { + cloudwatch_metrics_enabled = true + metric_name = "AWSManagedRulesKnownBadInputsRuleSet" + sampled_requests_enabled = true } } - rule { - name = "AWSManagedRulesLinuxRuleSet" -> null - priority = 50 -> null - override_action { - none {} } - statement { - managed_rule_group_statement { - name = "AWSManagedRulesLinuxRuleSet" -> null - vendor_name = "AWS" -> null } } - visibility_config { - cloudwatch_metrics_enabled = true -> null - metric_name = "AWSManagedRulesLinuxRuleSet" -> null - sampled_requests_enabled = true -> null } } + rule { + name = "AWSManagedRulesLinuxRuleSet" + priority = 50 + override_action { + none {} } + statement { + managed_rule_group_statement { + name = "AWSManagedRulesLinuxRuleSet" + vendor_name = "AWS" } } + visibility_config { + cloudwatch_metrics_enabled = true + metric_name = "AWSManagedRulesLinuxRuleSet" + sampled_requests_enabled = true } } # (3 unchanged blocks hidden) } Plan: 1 to add, 1 to change, 0 to destroy. Warning: Argument is deprecated with module.log_bucket.aws_s3_bucket.this, on .terraform/modules/log_bucket/S3_log_bucket/main.tf line 8, in resource "aws_s3_bucket" "this": 8: resource "aws_s3_bucket" "this" { Use the aws_s3_bucket_server_side_encryption_configuration resource instead (and 3 more similar warnings elsewhere) ───────────────────────────────────────────────────────────────────────────── Saved the plan to: plan.tfplan To perform exactly these actions, run the following command to apply: terraform apply "plan.tfplan" Releasing state lock. This may take a few moments... ```

Show Conftest results

```sh 18 tests, 18 passed, 0 warnings, 0 failures, 0 exceptions ```