search

crossplane-contrib / provider-upjet-aws

Official AWS Provider for Crossplane by Upbound.
https://marketplace.upbound.io/providers/upbound/provider-aws
Apache License 2.0
137 stars 112 forks source link

Support for configuring managed rule sets (WAF/Web ACL) #622

Open antoinne-williams opened 1 year ago

antoinne-williams commented 1 year ago

What problem are you facing?

With Terraform, I am able to configure an aws_wafv2_web_acl resource that is capable of setting a managed_rule_group_statement that corresponds to AWS Managed Rule Groups, like AWSManagedRulesCommonRuleSet. The documentation for the configuration is here: managed_rule_group_statement

With Crossplane, I was originally using provider-aws version 0.27.0 and saw that the wafv2.aws.upbound.io/v1beta1 API had an option for kind: RuleGroup, which felt like the natural resource to correspond with my intentions. For the sake of brevity, I looked through the docs for that resource on my provider version and did not see any options for managed_rule_group_statement. Additionally, I elected to use the newest provider version, but noticed that the resource was completely removed in the following commit.

At that point, I looked at other CRDs under waf/wafregional/wafv2 but did not see any options for this functionality explicitly. I basically want to do the following...

Terraform (some configs omitted for brevity)

resource "aws_wafv2_web_acl" "example" {
  name        = "${var.namespace}-web"
  description = "Firewall rules for access to application and consultation frontends"
  scope       = "CLOUDFRONT"

  default_action {
    allow {}
  }

  rule {
    name     = "example-name"
    priority = 1

    override_action {
      none {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesCommonRuleSet"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "example-name"
      sampled_requests_enabled   = true
    }
  }

  visibility_config {
    cloudwatch_metrics_enabled = true
    metric_name                = "webacl-example-name"
    sampled_requests_enabled   = true
  }
}

...with Crossplane

How could Official AWS Provider help solve your problem?

By enabling this capability, teams will be able to create and maintain of all AWS WAF related configs with Crossplane, without the need to enlist additional tools for the functionality.

If this capability exists, please provide an example with a similar level of detail to the examples published in this repo. They have been extremely easy to use and follow up to this point. Thank you 🙏

tintii commented 1 year ago

On the same boat her. Would love to use crossplane to manage wafv2 rules as with terraform the workflow would be a bit cumbersome in our organisation.

github-actions[bot] commented 3 months ago

This provider repo does not have enough maintainers to address every issue. Since there has been no activity in the last 90 days it is now marked as stale. It will be closed in 14 days if no further activity occurs. Leaving a comment starting with /fresh will mark this issue as not stale.