Fix `scope_down_statement` Rules

[RoseSecurity]

what

• Fix text_transformation errors by fixing dynamic references
• Update documentation and variable to support more complex structure
• Provide a parameter for an evaluation_window_sec, which is the amount of time, in seconds, that AWS WAF should include in its request counts, looking back from the current time.
• Update examples with scope_down_statement rules to ensure test coverage

Rate Limit Rule Example

why

• Enhance the reliability, functionality, and features of the waf module

testing

Utilized the following example Atmos component:

        rate_based_statement_rules:
          - name: "scoped-rate-limit"
            action: "block"
            priority: 10
            statement:
              limit: 1000
              aggregate_key_type: "IP"
              evaluation_window_sec: 300
              scope_down_statement:
                byte_match_statement:
                  field_to_match:
                    uri_path: true
                  positional_constraint: "STARTS_WITH"
                  search_string: "/test"
                  text_transformation:
                    - priority: 0
                      type: "NONE"

Which resulted in the following Terraform plan and apply:

      + rule {
          + name     = "scoped-rate-limit"
          + priority = 10

          + action {
              + block {
                }
            }

          + statement {
              + rate_based_statement {
                  + aggregate_key_type    = "IP"
                  + evaluation_window_sec = 300
                  + limit                 = 1000

                  + scope_down_statement {
                      + byte_match_statement {
                          + positional_constraint = "STARTS_WITH"
                          + search_string         = "/test"

                          + field_to_match {
                              + uri_path {}
                            }

                          + text_transformation {
                              + priority = 0
                              + type     = "NONE"
                            }
                        }
                    }
                }
            }

And Terratest output:

TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66:           + statement {
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66:               + rate_based_statement {
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66:                   + aggregate_key_type    = "IP"
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66:                   + evaluation_window_sec = 300
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66:                   + limit                 = 100
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66: 
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66:                   + scope_down_statement {
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66:                       + byte_match_statement {
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66:                           + positional_constraint = "STARTS_WITH"
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66:                           + search_string         = "example-scope-down-statement"
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66: 
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66:                           + field_to_match {
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66:                               + uri_path {}
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66:                             }
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66: 
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66:                           + text_transformation {
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66:                               + priority = 40
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66:                               + type     = "NONE"
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66:                             }
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66:                         }
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66:                     }
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66:                 }
TestExamplesComplete 2024-07-17T03:17:38Z logger.go:66:             }

references

• Terraform Docs

[mergify[bot]]

💥 This pull request now has conflicts. Could you fix it @RoseSecurity? 🙏

[RoseSecurity]

/terratest

[github-actions[bot]]

These changes were released in v1.7.2.