search

hashicorp / terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.
https://registry.terraform.io/providers/hashicorp/aws
Mozilla Public License 2.0
9.81k stars 9.16k forks source link

Feature Request: WAFv2 Web ACL Resource #11176

Closed bflad closed 4 years ago

bflad commented 4 years ago

Community Note

Description

In November 2019, AWS released a new version of the WAF API, WAFv2, which offers improved functionality over the previous WAF API ("WAF Classic") such as Managed Rules and WAF Capacity Units. This new API requires separate Terraform resource implementations from the previous resource implementations.

New or Affected Resource(s)

Potential Terraform Configuration

resource "aws_wafv2_web_acl" "example" {
  default_action {
    allow {}
    block {}
  }

  description = ""
  name        = ""
  scope       = ""
  tags        = {}

  rule {
    action {
      # The below shows the current API structure, which means there may be intention to include
      # additional settings with each action type in the future
      # Purposefully empty configuration blocks are awkward in Terraform configurations and the Plugin SDK though, so we may want to shy away from the pure API schema mapping here if they cause any trouble
      allow {}
      block {}
      count {}
    }

    name = ""

    override_action {
      count {}
      none {}
    }

    priority = 1

    # these are not fully shown and appear to be recursive in some cases    
    statement {
      and_statement {
        statement {}
        statement {}
      }

      byte_match_statement {
        field_to_match {
          all_query_arguments {}
          body {}
          method {}
          query_string {}
          single_header {
            name = ""
          }
          single_query_argument {
            name = ""
          }
          uri_path {}
        }

        positional_constraint = ""
        search_string = ""

        text_transformation {
          priority = 1
          type = ""
        }
      }

      geo_match_statement {
        country_codes = []
      }

      ip_set_reference_statement {
        arn = ""
      }

      managed_rule_group_statement {
        excluded_rule {
          name = ""
        }

        name = ""
        vendor_name = ""
      }

      not_statement {
        statement {}
      }

      or_statement {
        statement {}
        statement {}
      }

      rate_based_statement {
        aggregate_key_type = ""
        limit = 100

        scope_down_statement {}
      }

      regex_pattern_set_reference_statement {
        arn = ""

        field_to_match {} # see above
        text_transformation {} # see above
      }

      rule_group_reference_statement {
        arn = ""

        excluded_rule {
          name = ""
        }
      }

      size_constraint_statement {
        comparison_operator = ""

        field_to_match {} # see above

        size = 1

        text_transformation {} # see above
      }

      sqli_match_statement {
        field_to_match {} # see above

        text_transformation {} # see above
      }

      xss_match_statement {
        field_to_match {} # see above

        text_transformation {} # see above
      }
    }
  }

  visibility_config {
    cloudwatch_metrics_enabled = true
    metric_name = ""
    sampled_requests_enabled = true
  }
}

References

tobypinder commented 4 years ago

Will this encompass the "wafregional" equivalent here or is there a unified schema in V2 for both types?

ewbankkit commented 4 years ago

@tobypinder WAFv2 does include the classic/legacy WAF Regional functionality: https://docs.aws.amazon.com/waf/latest/APIReference/API_Operations.html.

rsclarke-vgw commented 4 years ago

To add, the proposed terraform configuration should also take into account the PutLoggingConfiguration for the Web ACL, similar to WAF Classic aws_waf_web_acl.

wicked-rides commented 4 years ago

Is there a link for the updated v2 documentation?

Thank You,

briensherman commented 4 years ago

Is there any update on when this feature might be implemented and available for use via Terraform? Additionally need to be able to use the AWS managed rule groups with regional WAFv2 web ACLs, and configure the CloudWatch metrics, etc... with the WAFv2 web ACLs.

shadbi commented 4 years ago

Is there any update on when this feature ( WAF v2 ), might be implemented and available for use via Terraform? for the moment i don't find any ressource or terraform documentation about it. thanks

pvanbuijtene commented 4 years ago

@briensherman @shadbi I'm currently busy implementing the resources, already did #12119 #12284 and I'm now busy with wafv2_rule_group. I'm at about 80% and will start with this one once finished.

anGie44 commented 4 years ago

This feature has been merged and will release with v2.67.0 of the Terraform AWS Provider, expected next week.

ghost commented 4 years ago

This has been released in version 2.67.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

itsSaad commented 4 years ago

@anGie44 Did we miss the PutLoggingConfiguration for some reason or was it not part of the scope for this resource or should we expect a new resource for it to match the API behaviour? Any timelines for it?

ghost commented 4 years ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!